CVE-2024-41345 in openflightsinfo

Summary

by MITRE • 08/29/2024

openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/trip.php

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/26/2026

The vulnerability identified as CVE-2024-41345 affects the openflights application at commit 5234b5b and represents a critical cross-site scripting flaw located within the php/trip.php file. This type of vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, creating a significant security risk for any system utilizing this software component. The vulnerability manifests when user-supplied input is not properly sanitized before being rendered in the web interface, enabling attackers to execute arbitrary JavaScript code within the context of the victim's browser session.

The technical exploitation of this XSS vulnerability occurs through improper input validation and output encoding mechanisms within the trip.php script. When users provide data that gets processed and displayed without adequate sanitization, malicious payloads can be injected and executed in the browser of other users who view the affected content. This flaw falls under CWE-79 which specifically addresses cross-site scripting vulnerabilities where web applications fail to properly validate or escape user-supplied data before incorporating it into dynamically generated web pages. The vulnerability is particularly concerning as it exists in a core application component that handles trip-related data, potentially allowing attackers to steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious websites.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform sophisticated attacks such as session hijacking, credential theft, and data manipulation within the application. Users who access the vulnerable trip.php page may unknowingly execute malicious code that can capture their login credentials, modify trip information, or even redirect them to phishing sites that appear legitimate. The attack surface is broad since any user input processed by this script could potentially serve as an entry point for exploitation, making the vulnerability particularly dangerous in multi-user environments where different users might be processing and viewing trip data. According to the ATT&CK framework, this vulnerability maps to T1566 which covers social engineering techniques that leverage XSS to compromise user systems.

Mitigation strategies for CVE-2024-41345 should focus on implementing robust input validation and output encoding practices throughout the application. The most effective immediate solution involves sanitizing all user-supplied input before processing and ensuring that any data rendered in the web interface is properly escaped to prevent script execution. Developers should implement proper HTML escaping mechanisms for all dynamic content and establish comprehensive input validation routines that reject or sanitize potentially malicious payloads. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against XSS attacks by restricting the sources from which scripts can be loaded. Organizations should also consider implementing regular security code reviews and automated vulnerability scanning to identify similar issues in other application components. The fix should be applied to the specific php/trip.php file by ensuring that all variables used in output generation are properly escaped and validated before being rendered to prevent attackers from injecting malicious scripts that could compromise user sessions or data integrity.

Responsible

MITRE

Reservation

07/18/2024

Disclosure

08/29/2024

Moderation

accepted

CPE

ready

EPSS

0.00263

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!