Login Sign Up

CVE-2024-33304

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

SourceCodester Product Show Room 1.0 contains a stored cross-site scripting (XSS) vulnerability in the 'Last Name' field of the Add Users functionality. This allows attackers to inject malicious scripts that execute in victims' browsers when viewing user data. Organizations using this specific version of the software are affected.

💻 Affected Systems

Products:
  • SourceCodester Product Show Room
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific version mentioned; other versions may not be vulnerable.

📦 What is this software?

Product Show Room Site by Oretnom23

View all CVEs affecting Product Show Room Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform account takeover, deface the website, or redirect users to malicious sites, potentially leading to complete system compromise.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies, enabling unauthorized access to administrative functions or user accounts.

🟢

If Mitigated

With proper input validation and output encoding, the script payloads would be neutralized, preventing execution while maintaining normal functionality.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to add users (typically authenticated), but the vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to reject or sanitize HTML/JavaScript in the Last Name field.

Output Encoding

all

Apply proper output encoding (e.g., HTML entity encoding) when displaying user data to prevent script execution.

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
  • Restrict access to the Add Users functionality to trusted administrators only and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Test by entering a script payload (e.g., <script>alert('XSS')</script>) in the Last Name field when adding a user and check if it executes when viewing the user list.

Check Version:

Check the software version in the admin panel or configuration files; look for 'Product Show Room 1.0'.

Verify Fix Applied:

After implementing fixes, repeat the test with the same payload to ensure it does not execute and is properly sanitized or encoded.

📡 Detection & Monitoring

Log Indicators:

  • Log entries showing script tags or unusual characters in Last Name fields during user creation.

Network Indicators:

  • HTTP requests with script payloads in POST data to user addition endpoints.

SIEM Query:

Search for POST requests to '/add_user' or similar endpoints with payloads containing '<script>' or 'javascript:' in the request body.

📊 Metadata

CVE ID: CVE-2024-33304
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: May 1, 2024
Last Updated: April 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33304, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)