CVE-2024-8605 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2024-8605?

CVE-2024-8605 has a CVSS score of 4.3 (MEDIUM). This is a cross-site scripting (XSS) vulnerability in code-projects Inventory Management 1.0 that allows attackers to inject malicious scripts into the registration form. The vulnerability affects all users who access the vulnerable registration page, potentially allowing session hijacking, credential theft, or defacement. Attackers can exploit this remotely without authentication.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in code-projects Inventory Management 1.0 that allows attackers to inject malicious scripts into the registration form. The vulnerability affects all users who access the vulnerable registration page, potentially allowing session hijacking, credential theft, or defacement. Attackers can exploit this remotely without authentication.

💻 Affected Systems

Products:

code-projects Inventory Management

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Inventory Management by Code Projects

View all CVEs affecting Inventory Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, install malware on client browsers, or completely compromise the inventory management system.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies or credentials, potentially gaining unauthorized access to the inventory system.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability would be neutralized, preventing script execution while maintaining registration functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit uses basic XSS payloads and requires no authentication. Public disclosure increases likelihood of weaponization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and output encoding in /view/registration.php or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side input validation to sanitize registration form inputs

Edit /view/registration.php to filter script tags and special characters

Content Security Policy

all

Implement CSP headers to restrict script execution

Add 'Content-Security-Policy: default-src 'self'' to HTTP headers

🧯 If You Can't Patch

Disable the registration functionality entirely if not needed
Implement a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Test by submitting <script>alert('XSS')</script> to the registration form and check if script executes

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

After implementing fixes, test with same payload to confirm script does not execute

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /view/registration.php containing script tags or JavaScript code
Multiple failed registration attempts with suspicious payloads

Network Indicators:

HTTP requests with script tags in registration form parameters
Unexpected JavaScript execution in registration page responses

SIEM Query:

source="web_logs" AND uri="/view/registration.php" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-8605

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

Published: September 9, 2024

Last Updated: September 13, 2024

🔗 References

https://code-projects.org/ Product
https://github.com/ali0999109/Inventory-management Exploit,Third Party Advisory
https://vuldb.com/?ctiid.276832 Permissions Required
https://vuldb.com/?id.276832 Third Party Advisory
https://vuldb.com/?submit.404711 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8605, you might also want to check these: