CVE-2024-45986
📋 TL;DR
A stored Cross-Site Scripting (XSS) vulnerability in Projectworld Online Voting System 1.0 allows attackers to inject malicious JavaScript payloads during account registration. The payload executes when victim users view the voter.php or profile.php pages, potentially compromising their sessions. This affects all deployments of Projectworld Online Voting System 1.0.
💻 Affected Systems
- Projectworld Online Voting System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, manipulate voting results, deface the application, or redirect users to malicious sites, potentially compromising the entire voting system's integrity.
Likely Case
Session hijacking of regular users or administrators, allowing unauthorized access to voting functions or administrative controls.
If Mitigated
Limited to minor data leakage or temporary disruption if proper input validation and output encoding are implemented.
🎯 Exploit Status
Exploitation requires account registration capability. The GitHub reference contains proof-of-concept details showing the vulnerability can be exploited with basic JavaScript payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch is available. Implement input validation and output encoding as described in workarounds.
🔧 Temporary Workarounds
Implement Input Validation
allAdd server-side validation to sanitize user input during account registration, rejecting or sanitizing JavaScript payloads.
Modify registration form handling in PHP to use htmlspecialchars() or similar functions on all user inputs before storage.
Implement Output Encoding
allEncode user-controlled data when displayed in voter.php and profile.php to prevent JavaScript execution.
In voter.php and profile.php, wrap all user data outputs with htmlspecialchars($data, ENT_QUOTES, 'UTF-8') before echoing.
🧯 If You Can't Patch
- Disable user registration functionality if not required
- Implement a Web Application Firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Register a test account with payload: <script>alert('XSS')</script> in any field. If alert triggers when viewing voter.php or profile.php, system is vulnerable.Check Version:
Check the software version in the application's admin panel or configuration files.Verify Fix Applied:
Attempt the same test after implementing fixes. The alert should not execute, and the payload should appear as plain text.📡 Detection & Monitoring
Log Indicators:
- Unusual account registrations with script tags or JavaScript code in username/email fields
- Multiple failed login attempts following suspicious registrations
Network Indicators:
- HTTP requests containing script tags in POST data to registration endpoints
- Unexpected JavaScript execution in voter.php or profile.php page loads
SIEM Query:
source="web_logs" AND (uri_path="/register.php" OR uri_path="/voter.php" OR uri_path="/profile.php") AND (http_method="POST" OR http_method="GET") AND (message="*<script>*" OR message="*javascript:*")