CVE-2024–30979 : Stored Cross Site Scripting (XSS) in Cyber Cafe Management System Project (CCMS) 1.0 by phpgurukul
Introduction: In today’s interconnected world, cybersecurity is paramount. As technology evolves, so do the threats it faces. Recently, I uncovered a significant vulnerability in the Cyber Cafe Management System Project (CCMS) version 1.0 developed by phpgurukul. This vulnerability, identified as CVE-2024–30979, poses a serious risk to users of the system.
Overview: During my assessment of the CCMS software, I discovered a Cross-Site Scripting (XSS) vulnerability that exists within the “/edit-computer-details.php” page. Specifically, the “compname” parameter is susceptible to XSS attacks. This flaw allows an attacker to inject malicious code into the parameter, which is then stored and executed when the victim interacts with the “Edit Details” button on the “manage-computer.php” page.
CVE Identifier: CVE-2024–30979 has been assigned to this vulnerability, providing a standardized reference point for tracking and addressing the issue. This identifier facilitates communication and collaboration among cybersecurity professionals and organizations.
Description: The XSS vulnerability in CCMS version 1.0 arises due to inadequate input validation and sanitization of the “compname” parameter. Attackers can exploit this flaw by crafting a malicious payload and injecting it into the parameter. When the victim clicks on the “Edit Details” button, the injected code is executed within the context of the vulnerable page, potentially leading to various attacks, including session hijacking, data theft, and malware distribution.
Proof of Concept:
Goto Manage Computer page and click on “Edit Details” of any Computer as show in the below image.
Now, in the “Computer Name” Parameter, inject the following payload and hit the “Update” button.
"><script>alert("XSS Vulnerability!")</script>
Now go back to “Manage Computer” and click on “Edit Details” button.
When injected into the “compname” parameter, this payload triggers a pop-up alert, indicating successful exploitation of the XSS vulnerability.
Conclusion: CVE-2024–30979 underscores the critical importance of vigilance in cybersecurity. By raising awareness of vulnerabilities like XSS in the Cyber Cafe Management System Project (CCMS), we can collectively work towards a more secure digital landscape. Remember, cybersecurity is a shared responsibility, and together, we can mitigate risks and protect against threats.
References:
Thank You For Reading!
By: Shanu Nirwan