Login Sign Up

CVE-2024-57423

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

A Cross-Site Scripting (XSS) vulnerability in CloudClassroom-PHP Project v1.0 allows remote attackers to inject malicious scripts via the exid parameter in the assessment function. This affects all users of CloudClassroom-PHP v1.0 who have the vulnerable component enabled. Attackers can execute arbitrary JavaScript in victims' browsers.

💻 Affected Systems

Products:
  • CloudClassroom-PHP Project
Versions: v1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability is in the assessment function's exid parameter handling.

📦 What is this software?

Cloudclassroom Php Project by Vishalmathur

View all CVEs affecting Cloudclassroom Php Project →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal session cookies, perform account takeover, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Attackers steal session tokens to hijack user accounts, deface pages, or redirect users to phishing sites.

🟢

If Mitigated

Proper input validation and output encoding prevent script execution, limiting impact to minor UI disruption.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities are commonly exploited with simple payloads; public proof-of-concept exists in GitHub references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Apply workarounds or manually fix the code by implementing input validation and output encoding for the exid parameter.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to allow only expected characters in the exid parameter and sanitize input.

Modify PHP code to validate exid parameter: e.g., if (!preg_match('/^[a-zA-Z0-9]+$/', $_GET['exid'])) { die('Invalid input'); }

Output Encoding

all

Encode user-controlled data before outputting in HTML to prevent script execution.

Use htmlspecialchars() in PHP: echo htmlspecialchars($exid, ENT_QUOTES, 'UTF-8');

🧯 If You Can't Patch

  • Disable or restrict access to the assessment function if not essential.
  • Implement a Web Application Firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Test by injecting a payload like <script>alert('XSS')</script> into the exid parameter of the assessment function and check if it executes.

Check Version:

Check the project version in configuration files or by reviewing the source code for version indicators.

Verify Fix Applied:

After applying fixes, test with the same payload; it should not execute and should be displayed as plain text or blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual or long strings in exid parameter logs, especially containing script tags or JavaScript code.

Network Indicators:

  • HTTP requests with suspicious payloads in the exid parameter, such as <script> tags.

SIEM Query:

source="web_logs" AND uri="*assessment*" AND query="*exid=*<script>*"

📊 Metadata

CVE ID: CVE-2024-57423
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.15% exploit probability (35.1th percentile)
Published: February 26, 2025
Last Updated: April 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57423, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)