CVE-2024-3695 in Computer Laboratory Management Systeminfo

Summary

by MITRE • 04/12/2024

A vulnerability has been found in SourceCodester Computer Laboratory Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /classes/Users.php. The manipulation of the argument id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-260482 is the identifier assigned to this vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/06/2025

The vulnerability identified as CVE-2024-3695 represents a critical cross site scripting flaw within the SourceCodester Computer Laboratory Management System version 1.0. This system, designed for managing computer laboratory operations, contains a security weakness in its user management component that exposes the application to malicious web attacks. The vulnerability specifically resides in the /classes/Users.php file, indicating that user-related functionality within the system is susceptible to exploitation. The flaw manifests when an attacker manipulates the id argument parameter, which allows for the injection of malicious scripts that can execute in the context of other users' browsers. This type of vulnerability falls under the CWE-79 category, which specifically addresses cross site scripting vulnerabilities, and aligns with the ATT&CK technique T1190 for exploitation through web applications.

The remote exploitation capability of this vulnerability significantly amplifies its potential impact, as attackers do not require physical access to the system to launch attacks. The fact that the exploit has been publicly disclosed and is potentially in use means that threat actors can readily leverage this weakness to compromise user sessions and potentially escalate privileges within the system. When a malicious script is injected through the id parameter, it can execute in the victim's browser with the same privileges as the legitimate user, potentially allowing attackers to steal session cookies, access sensitive user data, or perform unauthorized actions on behalf of users. The vulnerability's classification as problematic indicates that it has been assessed as a serious security concern that requires immediate attention and remediation.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable more sophisticated attacks such as session hijacking, data exfiltration, and privilege escalation within the computer laboratory management environment. Users who interact with the system, including administrators and laboratory staff, could have their sessions compromised, leading to unauthorized access to laboratory resources, student data, and system configurations. The disclosure of this vulnerability through identifier VDB-260482 suggests that security researchers have already identified and documented the issue, making it more likely that automated exploitation tools may be available. Organizations using this management system should immediately assess their exposure and implement protective measures to prevent potential exploitation.

Mitigation strategies for CVE-2024-3695 should focus on input validation and output encoding to prevent malicious script injection. The system should implement proper sanitization of the id parameter within the Users.php file, ensuring that all user-supplied input is validated against expected formats and sanitized before processing. The implementation of Content Security Policy headers can provide additional protection against script execution, while regular security updates and patches should be applied to address the underlying vulnerability. Security monitoring should be enhanced to detect unusual patterns in user activity and parameter manipulation attempts. Organizations should also consider implementing web application firewalls to filter malicious requests before they reach the vulnerable application components. The vulnerability's presence in a management system underscores the importance of securing all application interfaces, as unauthorized access to laboratory management functionality could result in significant operational disruption and data compromise.

Responsible

VulDB

Reservation

04/12/2024

Disclosure

04/12/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00605

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!