Cross-Site Scripting Vulnerability in Code-Projects Blood Bank System
CVE-2024-12000

5.4MEDIUM

Key Information:

Vendor
Code-projects
Status
Blood Bank System
Vendor
CVE Published:
30 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

CVE-2024-12000 identifies a critical Cross-Site Scripting (XSS) vulnerability within the Blood Bank System version 1.0 developed by Code-Projects. The vulnerability resides in the /controllers/updatesettings.php file, specifically affecting the setting handler component. Attackers can exploit this vulnerability by manipulating the 'firstname' parameter, enabling remote execution of malicious scripts in the context of the user's session. This vulnerability poses significant security risks as it may allow unauthorized actions to be performed, potentially compromising sensitive user data. Immediate action is recommended to mitigate the risk associated with this exploitable issue.

Affected Version(s)

Blood Bank System 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-12000 - Proof of Concept

References

https://vuldb.com/?id.286415
vdb-entrytechnical-description
https://vuldb.com/?ctiid.286415
signaturepermissions-required
https://vuldb.com/?submit.453717
third-party-advisory

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

jaychou8023 (VulDB User)
jaychou8023 (VulDB User)
.