Exploit
CVE-2024-7645

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Aug 12, 2024 / Updated: 3mo ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability has been identified in SourceCodester Clinics Patient Management System version 1.0. This vulnerability affects the User Page component, specifically in the users.php file. The issue allows for cross-site request forgery (CSRF) attacks. The vulnerability can be exploited remotely and requires user interaction.

Impact

Successful exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of authenticated users. This may result in data manipulation, unauthorized transactions, or account compromises. The CVSS v3.1 base score is 5.4 (Medium), with low impacts on both confidentiality and integrity, but no impact on availability. The attack vector is network-based, has low attack complexity, requires no privileges, but does need user interaction.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, there is no mention of an available patch for this vulnerability.

Mitigation

While no specific patch is mentioned, general mitigation strategies for CSRF vulnerabilities include: 1. Implement anti-CSRF tokens in all forms and state-changing requests. 2. Use the SameSite cookie attribute to limit the scope of session cookies. 3. Implement proper Cross-Origin Resource Sharing (CORS) policies. 4. Educate users about the risks of clicking on unknown links or interacting with untrusted content. 5. Consider implementing additional authentication steps for sensitive actions. 6. Regularly update and patch the Clinics Patient Management System as fixes become available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7645. See article

Aug 9, 2024 at 9:04 AM / VulDB Updates
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 9, 2024 at 9:04 AM
CVE Assignment

NVD published the first details for CVE-2024-7645

Aug 12, 2024 at 1:38 PM
CVSS

A CVSS base score of 4.3 has been assigned.

Aug 12, 2024 at 1:41 PM / nvd
Static CVE Timeline Graph

Affected Systems

Oretnom23/clinic\'s_patient_management_system
+null more

Exploits

https://github.com/ddChenA/cve/blob/main/csrf.md
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

Update Tue Sep 10 14:37:08 UTC 2024
Update Tue Sep 10 14:37:08 UTC 2024
CVE-2024-7645 Exploit
CVE Id : CVE-2024-7645 Published Date: 2024-08-15T17:43:00+00:00 A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file users.php of the component User Page. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://github.com/ddChenA/cve/blob/main/csrf.md
CVE-2024-7645
Medium Severity Description A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file users.php of the component User Page. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-7645
Cross-Site Request Forgery vulnerability in SourceCodester Clinics Patient Management System
Sourcecodester - MEDIUM - CVE-2024-7645 A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file users.php of the component User Page. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
SOURCECODESTER CLINICS PATIENT MANAGEMENT SYSTEM CVE-2024-7645 CVE-2024-7645 SourceCodester Clinics Patient Management System User Page users.php cross-site request forgery A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file users.php of the component User Page. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. https://www. cve.org/CVERecord?id=CVE-2024- 7645 https:// vuldb.com/?id.274066 https:// vuldb.com/?ctiid.274066 https:// vuldb.com/?submit.387399 https:// github.com/ddChenA/cve/blob/ma in/csrf.md # SourceCodester # ClinicsPatientManagementSystem # CVE_2024_7645 # bot
See 1 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI