Exploit
CVE-2024-9952

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 15, 2024 / Updated: 36d ago

010
CVSS 5.1EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Eyewear Shop version 1.0. The issue affects the Contact Information Page, specifically the file /admin/?page=system_info/contact_info. The vulnerability arises from improper neutralization of input during web page generation, allowing manipulation of the 'Address' parameter. This can potentially lead to the execution of malicious scripts in a user's browser session.

Impact

If exploited, this vulnerability could allow an attacker to inject and execute malicious scripts in the context of a user's browser session. This could lead to: 1. Theft of sensitive information such as session tokens or cookies 2. Manipulation of the website's content 3. Phishing attacks by injecting malicious forms 4. Potential redirection of users to malicious websites The impact is somewhat limited due to the high privileges required for exploitation and the need for user interaction. However, the scope is changed, indicating that the vulnerable component impacts resources beyond its security scope.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch for this vulnerability in SourceCodester Online Eyewear Shop 1.0. Users and administrators should monitor for updates from the vendor and apply any security patches as soon as they become available.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Implement strong input validation and sanitization for all user inputs, especially the 'Address' parameter in the Contact Information Page. 2. Apply Content Security Policy (CSP) headers to restrict the execution of scripts. 3. Use HTTP-only flags for session cookies to prevent access through client-side scripts. 4. Regularly update and patch the Online Eyewear Shop software as updates become available. 5. Limit access to the admin interface (/admin/) to only trusted and necessary personnel. 6. Implement Web Application Firewall (WAF) rules to detect and block XSS attempts. 7. Educate users about the risks of clicking on suspicious links or interacting with untrusted content. Given the high privileges required and user interaction needed for exploitation, focusing on secure admin access and user awareness can significantly reduce the risk.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9952. See article

Oct 15, 2024 at 2:12 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 15, 2024 at 2:13 AM
CVE Assignment

NVD published the first details for CVE-2024-9952

Oct 15, 2024 at 2:15 AM
CVSS

A CVSS base score of 2.4 has been assigned.

Oct 15, 2024 at 2:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 15, 2024 at 10:16 AM
CVSS

A CVSS base score of 4.8 has been assigned.

Oct 16, 2024 at 3:10 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 16, 2024 at 5:11 PM
Static CVE Timeline Graph

Affected Systems

Oretnom23/online_eyewear_shop
+null more

Exploits

https://gist.github.com/higordiego/bedd395e74a335f0145872c96d7cb92d
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

CVE-2024-9952 Exploit
CVE Id : CVE-2024-9952 Published Date: 2024-10-16T15:05:00+00:00 A vulnerability was found in SourceCodester Online Eyewear Shop 1.0 and classified as problematic. This issue affects some unknown processing of the file /admin/?page=system_info/contact_info of the component Contact Information Page. The manipulation of the argument Address leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. inTheWild added a link to an exploit: https://gist.github.com/higordiego/bedd395e74a335f0145872c96d7cb92d
Update Wed Oct 16 14:41:55 UTC 2024
Update Wed Oct 16 14:41:55 UTC 2024
NA - CVE-2024-9952 - A vulnerability was found in SourceCodester...
A vulnerability was found in SourceCodester Online Eyewear Shop 1.0 and classified as problematic. This issue affects some unknown processing of the file /admin/?page=system_info/contact_info of...
CVE-2024-9952
Gravedad 3.1 (CVSS 3.1 Base Score) This issue affects some unknown processing of the file /admin/?page=system_info/contact_info of the component Contact Information Page.
CVE-2024-9952 - SourceCodester Online Eyewear Shop Cross-Site Scripting Vulnerability in Contact Information Page
CVE ID : CVE-2024-9952 Published : Oct. 15, 2024, 2:15 a.m. 17 minutes ago Description : A vulnerability was found in SourceCodester Online Eyewear Shop 1.0 and classified as problematic. This issue affects some unknown processing of the file /admin/?page=system_info/contact_info of the component Contact Information Page. The manipulation of the argument Address leads to cross site scripting. The attack may be initiated remotely.
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI