CVE-2024-37856 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-37856?

CVE-2024-37856 has a CVSS score of 5.4 (MEDIUM). This Cross-Site Scripting (XSS) vulnerability in Lost and Found Information System 1.0 allows attackers to inject malicious scripts into user profile fields (first, middle, last name). When other users view these profiles, the scripts execute in their browsers, potentially enabling privilege escalation. Organizations using this specific software version are affected.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Lost and Found Information System 1.0 allows attackers to inject malicious scripts into user profile fields (first, middle, last name). When other users view these profiles, the scripts execute in their browsers, potentially enabling privilege escalation. Organizations using this specific software version are affected.

💻 Affected Systems

Products:

Lost and Found Information System

Versions: 1.0

Operating Systems: Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default installation when user profile functionality is enabled.

📦 What is this software?

Lost And Found Information System by Oretnom23

View all CVEs affecting Lost And Found Information System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal administrator session cookies, take over admin accounts, and gain full control of the system to modify data, create new users, or deploy additional malware.

🟠

Likely Case

Attackers steal user session cookies to impersonate legitimate users, access sensitive lost-and-found data, or perform unauthorized actions within the system.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized, preventing execution and limiting impact to data integrity issues.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user-level access to modify profile fields. Public proof-of-concept exists on Packet Storm Security.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://lost.com

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If patch available, download and apply following vendor instructions. 3. Test functionality after patching.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to reject or sanitize HTML/JavaScript in name fields.

N/A - Requires code changes

Output Encoding

all

Encode user-controlled data before rendering in HTML context to prevent script execution.

N/A - Requires code changes

🧯 If You Can't Patch

Disable user profile editing functionality if not essential
Implement web application firewall (WAF) rules to block XSS payloads in name parameters

🔍 How to Verify

Check if Vulnerable:

Test by entering <script>alert('XSS')</script> in first/middle/last name fields and check if script executes when viewing profile.

Check Version:

Check application version in admin panel or about page

Verify Fix Applied:

Repeat the test with sanitized input - script should not execute and should be displayed as plain text.

📡 Detection & Monitoring

Log Indicators:

Unusual length or special characters in name field submissions
Multiple profile updates from single user

Network Indicators:

HTTP requests with script tags in POST parameters to profile update endpoints

SIEM Query:

source="web_logs" AND (uri_path="/profile/update" OR uri_path="/user/edit") AND (param_name="first_name" OR param_name="last_name" OR param_name="middle_name") AND param_value MATCHES "<script>"

📊 Metadata

CVE ID: CVE-2024-37856

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 29, 2024

Last Updated: November 21, 2024

🔗 References

http://lost.com Not Applicable,Product
https://packetstormsecurity.com/files/179078/Lost-And-Found-Information-System-1.0-Cross-Site-Scripting.html Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Not Applicable
http://lost.com Not Applicable,Product
https://packetstormsecurity.com/files/179078/Lost-And-Found-Information-System-1.0-Cross-Site-Scripting.html Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37856, you might also want to check these: