FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-7169

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Jul 28, 2024 / Updated: 3mo ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A problematic vulnerability has been identified in SourceCodester School Fees Payment System version 1.0, specifically affecting an unknown part of the file /ajax.php. This vulnerability allows for cross-site request forgery (CSRF) attacks. The attack can be initiated remotely, and a public exploit is available.

Impact

This CSRF vulnerability has a high severity, with a CVSS v3.1 base score of 8.8. It can lead to significant impacts on confidentiality, integrity, and availability of the system. Attackers could potentially perform unauthorized actions on behalf of authenticated users, such as manipulating sensitive data, modifying system configurations, or disrupting normal operations of the School Fees Payment System. The attack vector is network-based, requires low attack complexity, and no privileges, but does need user interaction.

Exploitation

One proof-of-concept exploit is available on github.com. Its exploitation has been reported by various sources, including t.me.

Patch

Currently, there is no mention of an available patch for this vulnerability in SourceCodester School Fees Payment System version 1.0.

Mitigation

To mitigate this vulnerability: 1. Implement anti-CSRF tokens in all forms and AJAX requests within the School Fees Payment System. 2. Use the SameSite cookie attribute to limit the scope of cookies. 3. Implement strict input validation and sanitization for all user inputs, particularly in the /ajax.php file. 4. Add security headers such as Content-Security-Policy. 5. Regularly update and patch the School Fees Payment System software. 6. Educate users about the risks of clicking on untrusted links while authenticated to the system.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7169. See article

Jul 28, 2024 at 7:37 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jul 28, 2024 at 7:38 PM
CVE Assignment

NVD published the first details for CVE-2024-7169

Jul 28, 2024 at 8:15 PM
CVSS

A CVSS base score of 4.3 has been assigned.

Jul 28, 2024 at 8:20 PM / nvd
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 28, 2024 at 8:31 PM
Exploitation in the Wild

Attacks in the wild have been reported by CTI Feeds - Cybercrime on Telegram. See article

Jul 28, 2024 at 10:06 PM / CTI Feeds - Cybercrime on Telegram
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.1%)

Jul 29, 2024 at 9:52 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Aug 12, 2024 at 2:40 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Aug 12, 2024 at 5:12 PM
Static CVE Timeline Graph

Affected Systems

Oretnom23/school_fees_payment_system
+null more

Exploits

https://gist.github.com/topsky979/421c916be6ab09dc990896b07185ec89
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

CVE-2024-7169 Exploit
inTheWild.io Exploits / 3mo
CVE Id : CVE-2024-7169 Published Date: 2024-08-12T14:36:00+00:00 A vulnerability classified as problematic has been found in SourceCodester School Fees Payment System 1.0. This affects an unknown part of the file /ajax.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272583. inTheWild added a link to an exploit: https://gist.github.com/topsky979/421c916be6ab09dc990896b07185ec89
Update Fri Aug 2 14:35:21 UTC 2024
Recent Commits to cve:main / 3mo
Update Fri Aug 2 14:35:21 UTC 2024
CVE-2024-7169
INCIBE-CERT - Vulnerabilities RSS / 3mo
Gravedad 3.1 (CVSS 3.1 Base Score) A vulnerability classified as problematic has been found in SourceCodester School Fees Payment System 1.0.
CVE-2024-7169
Updated CVEs from Tenable / 3mo
Medium Severity Description A vulnerability classified as problematic has been found in SourceCodester School Fees Payment System 1.0. This affects an unknown part of the file /ajax.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272583. Read more at https://www.tenable.com/cve/CVE-2024-7169
NA - CVE-2024-7169 - A vulnerability classified as problematic has...
Security-Database Alerts Monitor : Last 100 Alerts / 3mo
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. Cvss vector : N/A Overall CVSS Score NA Base Score NA Environmental Score NA impact SubScore NA Temporal Score NA Exploitabality Sub Score NA Calculate full CVSS 3.0 Vectors scores
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 8.8(18246)CWE-352(6421)Oretnom23(416)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial