Exploit
CVE-2024-9803

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability has been identified in the Blood Bank Management System version 1.0 developed by code-projects. This vulnerability affects an unknown part of the file blooddetails.php. The issue allows for cross-site scripting (XSS) attacks through the manipulation of the 'Availability' argument. This is a remote exploit that requires user interaction and low privileges.

Impact

If exploited, this cross-site scripting vulnerability could allow attackers to inject malicious scripts into the web application. This could lead to theft of sensitive information, session hijacking, or manipulation of the web content presented to users. The impact is characterized by low confidentiality and integrity breaches, with no direct impact on availability. The attack complexity is low, but it does require user interaction, which may limit its effectiveness.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch for this vulnerability. Users of the Blood Bank Management System version 1.0 should be aware that they are potentially at risk.

Mitigation

While a patch is not mentioned, general mitigation strategies for XSS vulnerabilities should be applied: 1. Implement proper input validation and sanitization, especially for the 'Availability' parameter in blooddetails.php. 2. Use content security policies (CSP) to prevent the execution of unauthorized scripts. 3. Apply the principle of least privilege to limit the potential impact of successful attacks. 4. Regularly update and patch the Blood Bank Management System as fixes become available. 5. Educate users about the risks of clicking on suspicious links or interacting with untrusted content. 6. Consider implementing web application firewalls (WAF) to help detect and block XSS attempts.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9803. See article

Oct 10, 2024 at 9:48 AM / VulDB Updates
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 10, 2024 at 9:48 AM
CVE Assignment

NVD published the first details for CVE-2024-9803

Oct 10, 2024 at 5:15 PM
CVSS

A CVSS base score of 3.5 has been assigned.

Oct 10, 2024 at 5:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 11, 2024 at 10:19 AM
CVSS

A CVSS base score of 5.4 has been assigned.

Oct 16, 2024 at 4:20 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 16, 2024 at 7:11 PM
Static CVE Timeline Graph

Affected Systems

Code-project/blood_bank_system
+null more

Exploits

https://github.com/cookie5201314/CVE/blob/main/xss4-w.md
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

CVE-2024-9803 Exploit
CVE Id : CVE-2024-9803 Published Date: 2024-10-16T16:21:00+00:00 A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been classified as problematic. This affects an unknown part of the file blooddetails.php. The manipulation of the argument Availibility leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. inTheWild added a link to an exploit:
Update Sun Oct 13 14:25:38 UTC 2024
Update Sun Oct 13 14:25:38 UTC 2024
CVE Alert: CVE-2024-9803 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9803/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9803
CVE Alert: CVE-2024-9803
Affected Endpoints: The manipulation of the argument Availibility leads to cross site scripting.
CVE-2024-9803
Low Severity Description A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been classified as problematic. This affects an unknown part of the file blooddetails.php. The manipulation of the argument Availibility leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. Read more at https://www.tenable.com/cve/CVE-2024-9803
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI