CVE-2024-57686
Published: 10 January 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2024-57686 is a Cross-Site Scripting (XSS) vulnerability in PHPGurukul Land Record System version 1.0. The issue resides in the /landrecordsys/admin/contactus.php component, where the "pagetitle" parameter fails to properly sanitize user input. This allows remote attackers to inject malicious payloads, leading to the execution of arbitrary code. The vulnerability is associated with CWE-79 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical severity.
Any remote attacker can exploit this vulnerability without authentication, privileges, or user interaction, simply by crafting and sending a malicious request over the network to the vulnerable endpoint. Exploitation via the "pagetitle" parameter enables attackers to execute arbitrary code in the context of the victim's browser, potentially compromising confidentiality, integrity, and availability with high impact.
Advisories and mitigation details are available in community references, including a write-up PDF at https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Land%20record/Reflected%20Cross%20Site%20Scripting.pdf and a notebook at https://github.com/lhRaMk7/notebook/blob/main/phar_rce. No official vendor patches or detailed mitigation steps are specified in the CVE publication dated 2025-01-10.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing web application (/admin/contactus.php) enables exploitation of public-facing applications (T1190) and facilitates stealing web session cookies via injected JavaScript (T1539).