CVE-2024-35582 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-35582?

CVE-2024-35582 has a CVSS score of 6.1 (MEDIUM). This stored cross-site scripting (XSS) vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to inject malicious scripts into the Department input field. When users view the affected page, the scripts execute in their browser context, potentially stealing session cookies or performing unauthorized actions. Any organization using this specific software version is affected.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to inject malicious scripts into the Department input field. When users view the affected page, the scripts execute in their browser context, potentially stealing session cookies or performing unauthorized actions. Any organization using this specific software version is affected.

💻 Affected Systems

Products:

Sourcecodester Laboratory Management System

Versions: v1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation with no special configuration required for exploitation.

📦 What is this software?

Computer Laboratory Management System by Oretnom23

View all CVEs affecting Computer Laboratory Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, deface the application, or redirect users to malicious sites, potentially leading to complete system compromise.

🟠

Likely Case

Attackers steal user session cookies to gain unauthorized access to the laboratory management system, potentially accessing sensitive patient or laboratory data.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing any exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the Department input field, which typically requires authentication. The vulnerability is stored XSS, meaning injected payloads persist and affect all users viewing the page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to reject or sanitize HTML/JavaScript in the Department field

Output Encoding

all

Apply proper HTML encoding when displaying user-controlled data in web pages

Content Security Policy

all

Implement CSP headers to restrict script execution sources

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Restrict access to the application using network segmentation or firewall rules
Implement web application firewall (WAF) rules to block XSS payloads in the Department parameter

🔍 How to Verify

Check if Vulnerable:

Test by entering a simple XSS payload like <script>alert('XSS')</script> in the Department field and checking if it executes when viewing the page

Check Version:

Check the application's version information in the admin panel or configuration files

Verify Fix Applied:

After implementing fixes, test with the same payload to ensure it's properly sanitized or blocked

📡 Detection & Monitoring

Log Indicators:

Unusual HTML/JavaScript patterns in Department field submissions
Multiple failed login attempts following Department field modifications

Network Indicators:

HTTP requests containing script tags or JavaScript in Department parameter
Unexpected outbound connections to external domains

SIEM Query:

web_requests WHERE parameter_name = 'Department' AND (parameter_value CONTAINS '<script' OR parameter_value CONTAINS 'javascript:' OR parameter_value CONTAINS 'onload=')

📊 Metadata

CVE ID: CVE-2024-35582

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: May 28, 2024

Last Updated: April 11, 2025

🔗 References

https://github.com/r04i7/CVE/blob/main/CVE-2024-35582.md Exploit,Technical Description
https://owasp.org/www-community/attacks/xss/ Not Applicable
https://portswigger.net/web-security/cross-site-scripting/stored Not Applicable
https://github.com/r04i7/CVE/blob/main/CVE-2024-35582.md Exploit,Technical Description
https://owasp.org/www-community/attacks/xss/ Not Applicable
https://portswigger.net/web-security/cross-site-scripting/stored Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35582, you might also want to check these: