Exploit
CVE-2024-9810

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability has been discovered in SourceCodester Record Management System version 1.0. The issue is located in the file sort2_user.php and involves improper neutralization of input during web page generation, which can lead to cross-site scripting (XSS). This vulnerability allows for remote exploitation and has been publicly disclosed.

Impact

If exploited, this cross-site scripting vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users. This can lead to theft of sensitive information, such as session tokens or login credentials, manipulation of web content, or redirection of users to malicious websites. The CVSS v3.1 base score of 6.1 (Medium severity) indicates a moderate level of risk, with potential for low impact on both confidentiality and integrity, but no direct impact on availability.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of now, there is no information provided about an available patch for this vulnerability in SourceCodester Record Management System 1.0. The security team should closely monitor for any updates or patches released by the vendor.

Mitigation

To mitigate this vulnerability: 1. Implement input validation and output encoding for all user-supplied input in the affected file (sort2_user.php) and throughout the application. 2. Use Content Security Policy (CSP) headers to restrict the execution of scripts. 3. Apply the principle of least privilege to limit the potential impact of successful XSS attacks. 4. Consider using Web Application Firewalls (WAF) to help detect and block XSS attempts. 5. Regularly update and patch the SourceCodester Record Management System as soon as fixes become available. 6. Educate users about the risks of clicking on untrusted links or submitting sensitive information through the affected system. Given the public disclosure of the exploit, it is crucial to prioritize addressing this vulnerability to prevent potential attacks.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9810. See article

Oct 10, 2024 at 8:13 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 10, 2024 at 8:14 PM
CVE Assignment

NVD published the first details for CVE-2024-9810

Oct 10, 2024 at 8:15 PM
CVSS

A CVSS base score of 3.5 has been assigned.

Oct 10, 2024 at 8:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 11, 2024 at 10:19 AM
CVSS

A CVSS base score of 6.1 has been assigned.

Oct 15, 2024 at 7:25 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 15, 2024 at 9:10 PM
Static CVE Timeline Graph

Affected Systems

Jkev/record_management_system
+null more

Exploits

https://github.com/GangZhou1/VUL/blob/main/Record-Management-System-1.md
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI