Login Sign Up

CVE-2024-8366

4.3 MEDIUM
Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Pharmacy Management System 1.0 that allows attackers to inject malicious scripts into user profile fields. The vulnerability affects the 'Update My Profile' page and can be exploited remotely. Users of the vulnerable system are at risk of having their sessions hijacked or being redirected to malicious sites.

💻 Affected Systems

Products:
  • Pharmacy Management System
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web interface component specifically on the user profile editing page.

📦 What is this software?

Pharmacy Management System by Code Projects

View all CVEs affecting Pharmacy Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to phishing sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of user profile pages through script injection.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though some functionality disruption may occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication to access the profile editing page, but the XSS payload execution affects other users viewing the profile.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Implement input validation and output encoding in /index.php?id=userProfileEdit for fname, lname, and email parameters.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with XSS protection rules to filter malicious script inputs.

Input Validation Filter

all

Implement server-side input validation to reject HTML/script tags in user profile fields.

🧯 If You Can't Patch

  • Disable user profile editing functionality temporarily
  • Implement Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Test by entering <script>alert('XSS')</script> into fname, lname, or email fields on the user profile edit page and check if script executes.

Check Version:

Check system documentation or about page for version information; no specific command available.

Verify Fix Applied:

After implementing fixes, test with the same payload to ensure no script execution occurs and input is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags in user profile update requests
  • Multiple failed validation attempts on profile fields

Network Indicators:

  • HTTP requests containing script tags in POST parameters to /index.php?id=userProfileEdit

SIEM Query:

source="web_server" AND uri="/index.php?id=userProfileEdit" AND (param="fname" OR param="lname" OR param="email") AND content="<script>"

📊 Metadata

CVE ID: CVE-2024-8366
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
Published: August 31, 2024
Last Updated: September 4, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8366, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)