Cross Site Scripting Vulnerability in Code-Projects Farmacia 1.0

CVE-2024-11997

5.4MEDIUM

Key Information

Vendor
Code-projects
Status
Farmacia
Vendor
CVE Published:
30 November 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

CVE-2024-11997 is a high-severity cross site scripting (XSS) vulnerability identified in Code-Projects' Farmacia version 1.0. The flaw exists within the 'notaFiscal' parameter of the vendas.php script, allowing attackers to manipulate input and execute malicious scripts in the context of an affected user's session. This vulnerability poses significant risks as it enables remote attackers to inject harmful scripts, potentially leading to data theft, unauthorized access, or exploitation of user sessions. The vulnerability has been publicly disclosed, raising urgent concerns for users of the affected product.

Affected Version(s)

Farmacia = 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

jaychou8023 (VulDB User)
jaychou8023 (VulDB User)
.