CVE-2024-46077 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2024-46077?

CVE-2024-46077 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows attackers to inject malicious scripts into the Online Tours and Travels Management System v1.0 through user input fields. When exploited, it enables cross-site scripting attacks that can steal session cookies, redirect users, or deface pages. Organizations using this specific software version are affected.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the Online Tours and Travels Management System v1.0 through user input fields. When exploited, it enables cross-site scripting attacks that can steal session cookies, redirect users, or deface pages. Organizations using this specific software version are affected.

💻 Affected Systems

Products:

itsourcecode Online Tours and Travels Management System

Versions: v1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable in default installation. Requires web server with PHP support.

📦 What is this software?

Online Tours And Travels Management System by Mayurik

View all CVEs affecting Online Tours And Travels Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full system control, compromise customer data, and deploy malware to visitors.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, redirect users to phishing sites, or deface the travel booking interface.

🟢

If Mitigated

Script execution is blocked by browser security features or input validation, limiting impact to minor interface disruptions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple XSS payloads can be crafted and injected via multiple parameters without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and output encoding as workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to sanitize user inputs in travellers.php parameters

Add input sanitization in PHP: htmlspecialchars($_POST['parameter'], ENT_QUOTES, 'UTF-8')

Web Application Firewall Rule

all

Block XSS payloads in val-username, val-email, val-suggestions, val-digits, and state_name parameters

WAF rule: SecRule ARGS "<script|javascript:|onload=" "id:1001,phase:2,deny,status:403,msg:'XSS Attempt'

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Disable or restrict access to travellers.php if not essential for operations

🔍 How to Verify

Check if Vulnerable:

Test by submitting <script>alert('XSS')</script> to val-username parameter in travellers.php form

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

Verify script tags are properly encoded in output and don't execute in browser

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to travellers.php with script tags or JavaScript code in parameters
Multiple failed validation attempts on input fields

Network Indicators:

HTTP requests containing <script>, javascript:, or onload= in parameter values

SIEM Query:

source="web_logs" AND uri="*travellers.php*" AND (param="*<script>*" OR param="*javascript:*" OR param="*onload=*")

📊 Metadata

CVE ID: CVE-2024-46077

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: October 4, 2024

Last Updated: April 28, 2025

🔗 References

https://github.com/n00bS3cLe4rner/CVE-s/blob/main/CVE-2024-46077.md Third Party Advisory
https://packetstormsecurity.com Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46077, you might also want to check these: