CVE-2024-42550

Vulnerability

Overview

CVE-2024-42550 is a cross-site scripting (XSS) vulnerability found in the Mini Inventory and Sales Management System (commit 18aa3d). The flaw resides in the /email/welcome.php component, where the Title parameter is not properly sanitized before being rendered. An attacker can inject arbitrary web scripts or HTML through a crafted payload, leading to stored XSS [1].

Exploitation

Prerequisites

Exploitation requires no authentication, as the vulnerable endpoint is accessible to unauthenticated users. The attacker must be able to send a request to the /email/welcome.php page with a malicious payload in the Title parameter. The injected script is then stored and executed in the context of the victim's browser when the page is loaded [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page. The CVSS v3 base score of 5.4 (Medium) reflects the potential for partial confidentiality and integrity impact without requiring high privileges [1].

Mitigation

As of the publication date (August 21, 2024), no official patch has been released. Users are advised to manually sanitize the Title parameter in the /email/welcome.php file, implementing output encoding or input validation to prevent XSS attacks. The vendor has not responded to the disclosure [1].