CVE-2024-13081 in Land Record Systeminfo

Summary

by MITRE • 12/31/2024

A vulnerability was found in PHPGurukul Land Record System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/contactus.php. The manipulation of the argument Page Description leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/16/2025

The vulnerability identified as CVE-2024-13081 represents a critical cross-site scripting flaw within the PHPGurukul Land Record System version 1.0. This system, designed for land record management, contains a security weakness that allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability specifically resides in the administrative contactus.php file, which processes user input without proper sanitization or validation mechanisms. The flaw manifests when an attacker manipulates the Page Description parameter, enabling the execution of arbitrary JavaScript code within the victim's browser context. This type of vulnerability falls under CWE-79 which categorizes improper neutralization of input during web page generation as a primary weakness leading to XSS attacks.

The attack vector for CVE-2024-13081 is remotely exploitable, meaning that malicious actors can initiate the attack without requiring physical access to the target system or direct network access to the application server. The public disclosure of this exploit significantly increases the risk to organizations using the affected PHPGurukul Land Record System, as threat actors can readily implement the attack without requiring advanced technical skills. The vulnerability's impact extends beyond simple script execution, potentially allowing attackers to hijack user sessions, steal sensitive information, perform unauthorized actions on behalf of users, or redirect victims to malicious websites. This attack pattern aligns with ATT&CK technique T1566.001 which describes spearphishing with social engineering, as the XSS vulnerability can be leveraged to deliver malicious payloads that trick users into executing harmful code through seemingly legitimate administrative interfaces.

The operational impact of this vulnerability is particularly concerning for land record management systems which typically handle sensitive property data, personal information, and governmental records. An attacker who successfully exploits this XSS vulnerability could potentially access administrative functions, modify contact information, or gain unauthorized access to the system's backend operations. The compromised system may serve as a foothold for further attacks within the organization's network, especially if the application shares network resources or database access with other systems. Organizations using this software should immediately implement mitigations including input validation, output encoding, and proper content security policies to prevent script injection attacks. The vulnerability demonstrates the critical importance of secure coding practices and regular security assessments, particularly for web applications handling sensitive data. Without proper remediation, the affected system remains vulnerable to session hijacking, data exfiltration, and other malicious activities that could compromise the integrity and confidentiality of land records and associated user information.

Responsible

VulDB

Disclosure

12/31/2024

Moderation

accepted

CPE

ready

EPSS

0.00315

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!