Exploit
CVE-2024-9799

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability has been discovered in SourceCodester Profile Registration without Reload Refresh version 1.0. The issue is related to cross-site scripting (XSS) and affects an unknown functionality in the add.php file. The vulnerability allows for the manipulation of various parameters including email_address, address, company_name, job_title, and jobDescription.

Impact

This cross-site scripting vulnerability could allow an attacker to inject malicious scripts into web pages viewed by other users. If exploited, it could lead to theft of sensitive information, session hijacking, or manipulation of web content. The attack can be launched remotely, potentially affecting multiple users of the system. Given the CVSS v3.1 base score of 6.1 (Medium severity) and CVSS v4.0 base score of 5.3 (Medium severity), this vulnerability poses a moderate risk to the confidentiality and integrity of the system.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an official patch being available for this vulnerability. The security team should closely monitor for any updates or patches released by SourceCodester for the Profile Registration without Reload Refresh 1.0 application.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Implement strong input validation and output encoding for all user-supplied input, particularly in the add.php file. 2. Use Content Security Policy (CSP) headers to mitigate the risk of XSS attacks. 3. Consider temporarily disabling or restricting access to the vulnerable functionality if possible without disrupting critical operations. 4. Educate users about the risks of clicking on suspicious links or interacting with untrusted content. 5. Regularly monitor logs for any signs of exploitation attempts. 6. If feasible, consider upgrading to a newer version of the software or exploring alternative solutions that are not vulnerable to this specific XSS issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9799. See article

Oct 10, 2024 at 4:39 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 10, 2024 at 4:41 PM
CVE Assignment

NVD published the first details for CVE-2024-9799

Oct 10, 2024 at 5:15 PM
CVSS

A CVSS base score of 3.5 has been assigned.

Oct 10, 2024 at 5:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 11, 2024 at 10:19 AM
CVSS

A CVSS base score of 6.1 has been assigned.

Oct 17, 2024 at 2:35 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 17, 2024 at 5:12 PM
Static CVE Timeline Graph

Affected Systems

Rems/profile_registration_without_reload\/refresh
+null more

Exploits

https://gist.github.com/sechurity/07c5a3a15f21313ee657d05baadbee19
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

CVE-2024-9799 Exploit
CVE Id : CVE-2024-9799 Published Date: 2024-10-17T14:32:00+00:00 A vulnerability has been found in SourceCodester Profile Registration without Reload Refresh 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file add.php. The manipulation of the argument email_address/address/company_name/job_title/jobDescriptionparameter leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://gist.github.com/sechurity/07c5a3a15f21313ee657d05baadbee19
Update Sun Oct 13 14:25:38 UTC 2024
Update Sun Oct 13 14:25:38 UTC 2024
CVE Alert: CVE-2024-9799 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9799/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9799
CVE Alert: CVE-2024-9799
Affected by this vulnerability is an unknown functionality of the file add.php. Everyone that supports the site helps enable new functionality.
CVE-2024-9799
Low Severity Description A vulnerability has been found in SourceCodester Profile Registration without Reload Refresh 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file add.php. The manipulation of the argument email_address/address/company_name/job_title/jobDescriptionparameter leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9799
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI