CVE-2024-45528 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2024-45528?

CVE-2024-45528 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows attackers to inject malicious scripts into the 'fullname' field during member creation in CodeAstro MembershipM-PHP 1.0. When administrators view the member list, the scripts execute in their browser context. This affects any organization using the vulnerable version of this membership management system.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the 'fullname' field during member creation in CodeAstro MembershipM-PHP 1.0. When administrators view the member list, the scripts execute in their browser context. This affects any organization using the vulnerable version of this membership management system.

💻 Affected Systems

Products:

CodeAstro MembershipM-PHP
Membership Management System in PHP

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the add_members.php functionality enabled and accessible.

📦 What is this software?

Membership Management System by Codeastro

View all CVEs affecting Membership Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full system takeover, data theft, or deployment of additional malware.

🟠

Likely Case

Session hijacking of administrators, credential theft, or defacement of the membership portal.

🟢

If Mitigated

Limited to minor UI disruption if proper input validation and output encoding are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to create members (typically authenticated user privilege). The GitHub reference contains proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Implement input validation and output encoding in add_members.php and any display pages.

🔧 Temporary Workarounds

Input Sanitization

all

Add HTML entity encoding to the fullname parameter before storing in database

In add_members.php, replace $_POST['fullname'] with htmlspecialchars($_POST['fullname'], ENT_QUOTES, 'UTF-8')

Output Encoding

all

Ensure all user-controlled data is properly encoded when displayed

In member display pages, wrap all echo statements of user data with htmlspecialchars()

🧯 If You Can't Patch

Restrict access to add_members.php to trusted administrators only
Implement web application firewall rules to block XSS payloads in POST requests

🔍 How to Verify

Check if Vulnerable:

Test by creating a member with payload: <script>alert('XSS')</script> in fullname field, then check if script executes when viewing members.

Check Version:

Check the software version in the application interface or configuration files.

Verify Fix Applied:

Repeat the test with the same payload; script should not execute and should display as plain text.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to add_members.php with script tags or JavaScript in parameters
Multiple member creation attempts with similar payloads

Network Indicators:

HTTP requests containing <script> tags in POST body to the vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="/add_members.php" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-45528

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: September 2, 2024

Last Updated: March 31, 2025

🔗 References

https://github.com/ShellFighter/VulnerabilityResearch/blob/main/MMS.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45528, you might also want to check these: