Login Sign Up

CVE-2024-31650

9.6 CRITICAL
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the Last Name parameter of Cosmetics and Beauty Product Online Store v1.0, enabling cross-site scripting attacks. Any user who can submit data through this parameter can potentially execute arbitrary web scripts in victims' browsers. This affects all deployments of version 1.0 of this specific e-commerce software.

💻 Affected Systems

Products:
  • Cosmetics and Beauty Product Online Store
Versions: v1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: This appears to be a specific vulnerable version of a custom e-commerce application. The vulnerability exists in the Last Name parameter handling.

📦 What is this software?

Cosmetics And Beauty Product Online Store by Oretnom23

View all CVEs affecting Cosmetics And Beauty Product Online Store →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform account takeover, redirect users to malicious sites, or deploy malware through the compromised web application.

🟠

Likely Case

Session hijacking, credential theft, and defacement of the online store interface through injected content.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting the specific vulnerable parameter.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities are commonly exploited and weaponized. The public GitHub repository contains details about the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check for updated version from the software vendor. 2. If no patch available, implement input validation and output encoding. 3. Apply web application firewall rules to block XSS payloads.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to reject or sanitize malicious input in the Last Name parameter

Web Application Firewall Rules

all

Configure WAF to detect and block XSS payloads targeting the Last Name parameter

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Disable or restrict access to the vulnerable functionality if not essential

🔍 How to Verify

Check if Vulnerable:

Test the Last Name parameter with XSS payloads like <script>alert('XSS')</script> and observe if script executes

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Retest with XSS payloads after implementing fixes to confirm scripts no longer execute

📡 Detection & Monitoring

Log Indicators:

  • Unusual characters or script tags in Last Name field logs
  • Multiple failed login attempts after XSS payload submission

Network Indicators:

  • HTTP requests containing script tags or JavaScript in Last Name parameter
  • Unusual outbound connections from user browsers

SIEM Query:

source="web_logs" AND (Last_Name CONTAINS "<script>" OR Last_Name CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-31650
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: April 15, 2024
Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31650, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)