Exploit
CVE-2024-9805

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability has been identified in the Blood Bank System version 1.0 developed by code-projects. This issue affects the processing of the file /admin/campsdetails.php. The vulnerability allows for cross-site scripting (XSS) attacks through the manipulation of the arguments hospital, address, city, and contact. The attack can be initiated remotely and requires user interaction.

Impact

This cross-site scripting vulnerability could allow attackers to inject malicious scripts into the web application. If successfully exploited, it could lead to: 1. Theft of sensitive data: Attackers might be able to steal session tokens, cookies, or other critical information from users. 2. Unauthorized actions: Malicious scripts could perform actions on behalf of the victim user, potentially leading to data manipulation or unauthorized access. 3. Phishing attacks: Attackers could inject content that misleads users into revealing sensitive information. 4. Reputational damage: If exploited, it could lead to a loss of trust in the Blood Bank System among its users. The CVSS v3.1 base score for this vulnerability is 5.4 (Medium severity), indicating a moderate level of risk. The vulnerability has a "Changed" scope, meaning its impact could extend beyond the vulnerable component.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch for this vulnerability in the Blood Bank System version 1.0. Users and administrators of the system should monitor for updates from code-projects and apply any security patches as soon as they become available.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Input Validation: Implement strong input validation and sanitization for all user inputs, especially for the hospital, address, city, and contact fields in the /admin/campsdetails.php file. 2. Output Encoding: Ensure all output is properly encoded to prevent the execution of injected scripts. 3. Content Security Policy (CSP): Implement a strict CSP to reduce the risk of XSS attacks. 4. Web Application Firewall (WAF): Deploy a WAF to help filter out malicious requests. 5. User Education: Advise users to be cautious when interacting with the system, especially when following links or submitting information. 6. Access Control: Limit access to the affected component to only necessary users. 7. Regular Security Audits: Conduct frequent security reviews of the application to identify and address similar vulnerabilities. 8. Monitor for Exploits: Stay vigilant for any signs of exploitation attempts, as an exploit for this vulnerability has been publicly disclosed.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9805. See article

Oct 10, 2024 at 9:25 AM / VulDB Updates
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 10, 2024 at 9:26 AM
CVE Assignment

NVD published the first details for CVE-2024-9805

Oct 10, 2024 at 6:15 PM
CVSS

A CVSS base score of 3.5 has been assigned.

Oct 10, 2024 at 6:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 11, 2024 at 10:19 AM
CVSS

A CVSS base score of 5.4 has been assigned.

Oct 15, 2024 at 7:20 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 15, 2024 at 9:10 PM
Static CVE Timeline Graph

Affected Systems

Code-projects/blood_bank_system
+null more

Exploits

https://github.com/sternstundes/cve/blob/main/xss5.md
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

CVE-2024-9805 Exploit
CVE Id : CVE-2024-9805 Published Date: 2024-10-15T19:18:00+00:00 A vulnerability was found in code-projects Blood Bank System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/campsdetails.php. The manipulation of the argument hospital/address/city/contact leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only mentions the parameter "hospital". inTheWild added a link to an exploit:
CVE Alert: CVE-2024-9805 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9805/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9805
CVE-2024-9805
The initial researcher advisory only mentions the parameter "hospital". Gravedad 3.1 (CVSS 3.1 Base Score)
NA - CVE-2024-9805 - A vulnerability was found in code-projects...
A vulnerability was found in code-projects Blood Bank System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/campsdetails.php. The manipulation...
CVE-2024-9805
Low Severity Description A vulnerability was found in code-projects Blood Bank System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/campsdetails.php. The manipulation of the argument hospital/address/city/contact leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only mentions the parameter "hospital". Read more at https://www.tenable.com/cve/CVE-2024-9805
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI