Cross-Site Scripting Vulnerability in Code-Projects Blood Bank System

CVE-2024-12000

5.4MEDIUM

Key Information

Vendor
Code-projects
Status
Blood Bank System
Vendor
CVE Published:
30 November 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

CVE-2024-12000 identifies a critical Cross-Site Scripting (XSS) vulnerability within the Blood Bank System version 1.0 developed by Code-Projects. The vulnerability resides in the /controllers/updatesettings.php file, specifically affecting the setting handler component. Attackers can exploit this vulnerability by manipulating the 'firstname' parameter, enabling remote execution of malicious scripts in the context of the user's session. This vulnerability poses significant security risks as it may allow unauthorized actions to be performed, potentially compromising sensitive user data. Immediate action is recommended to mitigate the risk associated with this exploitable issue.

Affected Version(s)

Blood Bank System = 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

jaychou8023 (VulDB User)
jaychou8023 (VulDB User)
.