CVE-2024-48589

Medium

Published: 06 February 2025

Published

06 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Score 0.0754 91.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Cross Site Scripting vulnerability in Gilnei Moraes phpABook v.0.9 allows a remote attacker to execute arbitrary code via the rol parameter in index.php

Security Summary

CVE-2024-48589 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in Gilnei Moraes' phpABook version 0.9. The issue affects the 'rol' parameter in the index.php file, where a remote attacker can execute arbitrary code. Published on 2025-02-06, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, no required privileges, and user interaction needed.

A remote attacker can exploit this vulnerability without authentication by crafting malicious input for the 'rol' parameter, tricking a user into interacting with a tainted page (e.g., via a phishing link or malicious website). Upon successful exploitation, the attacker achieves low-level impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution in the victim's browser context.

Mitigation details and additional technical information are available in the GitHub repository at https://github.com/Exek1el/CVE-2024-48589.

Details

CWE(s): CWE-79

References

https://github.com/Exek1el/CVE-2024-48589
cve@mitre.org