Exploit
CVE-2024-9906

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 13, 2024 / Updated: 38d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Eyewear Shop version 1.0. The vulnerability is specifically located in an unknown function within the file /admin/?page=inventory/view_inventory&id=2. The issue arises from improper neutralization of input during web page generation, allowing manipulation of the 'Code' argument to execute malicious scripts.

Impact

This vulnerability could allow attackers to inject and execute malicious scripts in the context of the affected web application. Successful exploitation could lead to theft of sensitive information (such as user credentials or session tokens), manipulation of web content, or redirection of users to malicious websites. The attacker could potentially perform actions on behalf of the victim user, compromising the integrity of the user's interaction with the application.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, there is no mention of an available patch for this vulnerability in SourceCodester Online Eyewear Shop 1.0.

Mitigation

While no specific patch is mentioned, general mitigation strategies for XSS vulnerabilities include: 1. Implement proper input validation and sanitization for all user-supplied data, especially the 'Code' parameter in the affected file. 2. Use content security policies (CSP) to restrict execution of scripts. 3. Employ output encoding when rendering user-controlled data. 4. Consider using security frameworks or libraries that automatically escape output. 5. Regularly update and patch the application as fixes become available. 6. Restrict access to the affected admin page to only necessary personnel.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9906

Oct 13, 2024 at 4:15 AM
First Article

Feedly found the first article mentioning CVE-2024-9906. See article

Oct 13, 2024 at 4:16 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 13, 2024 at 4:17 AM
CVSS

A CVSS base score of 3.5 has been assigned.

Oct 13, 2024 at 4:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 13, 2024 at 12:22 PM
CVSS

A CVSS base score of 5.4 has been assigned.

Oct 16, 2024 at 10:15 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 17, 2024 at 1:10 AM
Static CVE Timeline Graph

Affected Systems

Oretnom23/online_eyewear_shop
+null more

Exploits

https://gist.github.com/higordiego/1c1e1709a6832cb63bbe9e9328f55ff9
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

CVE-2024-9906 Exploit
CVE Id : CVE-2024-9906 Published Date: 2024-10-16T22:12:00+00:00 A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /admin/?page=inventory/view_inventory&id=2. The manipulation of the argument Code leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://gist.github.com/higordiego/1c1e1709a6832cb63bbe9e9328f55ff9
CVE Alert: CVE-2024-9906 - https://www.redpacketsecurity.com/cve_alert_cve-2024-9906/ #OSINT #ThreatIntel #CyberSecurity #cve_2024_9906
CVE Alert: CVE-2024-9906 - redpacketsecurity.com/cve_al… #OSINT #ThreatIntel #CyberSecurity #cve_2024_9906
CVE Alert: CVE-2024-9906 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9906/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9906
CVE Alert: CVE-2024-9906
Everyone that supports the site helps enable new functionality. Affected Endpoints:
CVE-2024-9906
Low Severity Description A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /admin/?page=inventory/view_inventory&id=2. The manipulation of the argument Code leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9906
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI