Cross Site Scripting Vulnerability in Superadmin_Dashboard/process/addcorporate_process.php Could Lead to Remote Exploitation
CVE-2024-3414

3.5LOW

Key Information:

Vendor
Sourcecodester
Status
Human Resource Information System
Vendor
CVE Published:
6 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The SourceCodester Human Resource Information System version 1.0 contains a cross site scripting vulnerability due to improper handling of user input within the Superadmin_Dashboard process file, specifically in the addcorporate_process.php function. By manipulating the corporate_name parameter, attackers can execute arbitrary scripts on the client side, potentially leading to session hijacking, data theft, and unauthorized actions. The nature of this vulnerability allows for remote exploitation, raising concerns for web application security. Publicly disclosed details suggest that this flaw may currently be active, necessitating prompt remediation.

Affected Version(s)

Human Resource Information System 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3414 - Proof of Concept

References

https://vuldb.com/?id.259583
vdb-entrytechnical-description
https://vuldb.com/?ctiid.259583
signaturepermissions-required
https://vuldb.com/?submit.311436
third-party-advisory

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

liuann (VulDB User)
.