CVE-2024-57488 in Online Car Rental Systeminfo

Summary

by MITRE • 01/13/2025

Code-Projects Online Car Rental System 1.0 is vulnerable to Cross Site Scripting (XSS) via the vehicalorcview parameter in /admin/edit-vehicle.php.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 06/29/2025

The vulnerability identified as CVE-2024-57488 affects the Code-Projects Online Car Rental System version 1.0, specifically targeting the administrative interface through a cross site scripting flaw. This issue manifests in the edit-vehicle.php script where the vehicalorcview parameter fails to properly sanitize user input, creating an avenue for malicious script injection. The vulnerability resides within the application's handling of vehicle-related data within the administrative context, potentially allowing unauthorized actors to execute arbitrary JavaScript code in the context of authenticated admin sessions.

This XSS vulnerability operates under CWE-79 which classifies it as a failure to sanitize input data, specifically targeting web applications that do not properly validate or escape user-supplied information before rendering it in web pages. The flaw represents a classic reflected XSS attack vector where malicious payloads can be injected through the vehicalorcview parameter and subsequently executed when the page is loaded. The vulnerability impacts the application's integrity by allowing attackers to manipulate the administrative interface and potentially escalate privileges or access sensitive data.

The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to hijack administrative sessions through session manipulation techniques. According to ATT&CK framework, this represents a technique categorized under T1059.007 for command and scripting interpreter, specifically targeting the web application layer. The vulnerability could allow attackers to inject malicious scripts that redirect users to phishing sites, steal session cookies, or modify vehicle records within the system. Given that this affects the administrative interface, successful exploitation could result in complete compromise of the car rental management system.

Mitigation strategies should focus on implementing proper input validation and output encoding mechanisms within the application code. The recommended approach includes sanitizing all user inputs through parameterized queries and HTML escaping before rendering any dynamic content. Additionally, implementing Content Security Policy (CSP) headers can provide an additional layer of protection against script execution. The fix should involve modifying the edit-vehicle.php script to properly validate and sanitize the vehicalorcview parameter, ensuring that any potentially malicious scripts are neutralized before being processed. Regular security testing including dynamic application security testing and manual code review should be implemented to prevent similar vulnerabilities from emerging in future releases.

Responsible

MITRE

Reservation

01/09/2025

Disclosure

01/13/2025

Moderation

accepted

CPE

ready

EPSS

0.00349

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!