CVE-2024-8151 in Interactive Map with Marker
Summary
by MITRE • 08/26/2024
A vulnerability was found in SourceCodester Interactive Map with Marker 1.0. It has been classified as problematic. This affects an unknown part of the file /endpoint/delete-mark.php. The manipulation of the argument mark leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/12/2025
The vulnerability identified as CVE-2024-8151 represents a critical cross-site scripting flaw within the SourceCodester Interactive Map with Marker version 1.0 software. This security weakness resides in the /endpoint/delete-mark.php file where improper input validation occurs when processing the mark argument parameter. The vulnerability has been classified as problematic due to its potential for remote exploitation and the disclosed nature of the exploit, which significantly increases the risk of widespread abuse. The affected application fails to properly sanitize user-supplied input before processing it, creating an avenue for malicious actors to inject arbitrary script code into the application's response.
The technical implementation of this vulnerability demonstrates a classic XSS attack vector where the mark parameter in the delete-mark.php endpoint does not undergo adequate sanitization or encoding before being rendered in the web response. This allows an attacker to submit malicious JavaScript code through the mark argument, which then executes in the context of other users' browsers who view the affected content. The vulnerability's remote exploitability means that attackers can trigger the malicious payload without requiring physical access to the system or local network presence, making it particularly dangerous for web applications that serve multiple users. The attack chain typically involves an attacker crafting a malicious payload containing JavaScript code and submitting it through the vulnerable mark parameter, which gets executed when other users interact with the application.
The operational impact of CVE-2024-8151 extends beyond simple script execution, as it can enable more sophisticated attacks including session hijacking, credential theft, and data exfiltration. When an attacker successfully exploits this vulnerability, they can potentially steal user sessions, redirect victims to malicious sites, or modify application behavior to compromise the integrity of user data. The disclosed exploit status means that security researchers and malicious actors alike have access to the specific techniques required to exploit this flaw, accelerating the potential for real-world attacks. Organizations running this version of the interactive map software face significant risk of unauthorized access and data compromise, particularly in environments where users have varying levels of trust or where sensitive information might be handled through the application interface.
Mitigation strategies for this vulnerability should focus on implementing proper input validation and output encoding mechanisms throughout the application. The most effective immediate solution involves sanitizing all user-supplied input, particularly the mark parameter, using established encoding techniques such as HTML entity encoding before rendering any user-provided content. Organizations should implement Content Security Policy headers to limit the execution of inline scripts and restrict the sources from which scripts can be loaded. Additionally, the application should be updated to a patched version if available, or the vulnerable endpoint should be removed or secured through proper parameter validation. The implementation of web application firewalls and regular security scanning can help detect and prevent exploitation attempts, while user education about suspicious links and unexpected script behavior can provide additional defense layers. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a potential entry point for attackers following ATT&CK technique T1059.007 for command and scripting interpreter usage, particularly in the context of web-based attack vectors.