Cross-Site Scripting Vulnerability in Wazifa System by Code-Projects

CVE-2024-12001

5.4MEDIUM

Key Information

Vendor
Code-projects
Status
Wazifa System
Vendor
CVE Published:
30 November 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

CVE-2024-12001 describes a significant cross-site scripting (XSS) vulnerability in the Wazifa System 1.0 developed by Code-Projects. The flaw resides in the updatesettings.php file within the settings handler component, where manipulation of the 'firstname' parameter can be exploited. This vulnerability allows attackers to execute arbitrary scripts in the context of the user's session, leading to potential theft of sensitive information or hijacking of user accounts. The vulnerability can be remotely exploited, making it particularly concerning. Users and administrators are advised to apply necessary patches and monitor their systems for any malicious activities.

Affected Version(s)

Wazifa System = 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

jaychou8023 (VulDB User)
jaychou8023 (VulDB User)
.