CVE-2024-37859

Vulnerability

Lost and Found Information System 1.0 contains a reflected Cross-Site Scripting (XSS) vulnerability in the page parameter of php-lfis/admin/index.php. An attacker can inject arbitrary JavaScript code via this parameter, which is rendered without proper sanitization when the page is loaded [1]. The affected version is the final release as provided by SourceCodester; no updated versions have been published.

Exploitation

The attacker does not need authentication or a session token. The attack vector is remote: an attacker crafts a URL with a malicious payload in the page parameter (e.g., admin/index.php?page=) and convinces an admin user to click the link (social engineering), or embeds the link in a page accessed by an admin via a network proxy or phishing. No special privileges are required beyond the ability to deliver the crafted URL to a victim who has an active session in the admin panel [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin user's browser. This can lead to session hijacking, theft of admin cookies (including authentication tokens), defacement of the admin interface, or further attacks such as credential harvesting or performing administrative actions on behalf of the victim. The privilege escalation is from zero privileges to full admin-level access to all functionality exposed in the admin panel [1].

Mitigation

As of July 2024, SourceCodester has not released a patched version; the application is likely end-of-life or unmaintained. No official workaround or patch has been provided in the available references [1]. The recommended mitigation is to either discontinue use of the system or implement a web application firewall (WAF) rule to block malicious characters in the page parameter, or manually sanitize the parameter in the source code.