Cross-Site Scripting vulnerability in PHP Server Monitor

Posted date 24/05/2024

Importance

3 - Medium

Affected Resources

PHP Server Monitor, version 3.2.0.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting PHP Server Monitor, a script that checks if websites and servers are up and running, in its version 3.2.0, which has been discovered by Rafael Pedrero.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

CVE-2024-5312: 6.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | CWE-79.

Solution

There is no reported solution at this time.

Detail

CVE-2024-5312: PHP Server Monitor, version 3.2.0, is vulnerable to an XSS via the /phpservermon-3.2.0/vendor/phpmailer/phpmailer/test_script/index.php page in all visible parameters. An attacker could create a specially crafted URL, send it to a victim and retrieve their session details.

References list

PHP Server Monitor

Etiquetas

0day
CNA
PHP
Vulnerability
Web