Cross-Site Scripting Vulnerabilities Discovered in PhpMyBackupPro 2.3

May 28, 2024

Security researchers have recently discovered multiple cross-site scripting (XSS) vulnerabilities in PhpMyBackupPro version 2.3. These vulnerabilities could allow attackers to execute malicious scripts on targeted websites, potentially compromising user data and session details.

The vulnerabilities, identified as CVE-2024-5415, CVE-2024-5414, and CVE-2024-5413, affect the following components of PhpMyBackupPro 2.3:

1. CVE-2024-5415: An XSS vulnerability exists in the `/phpmybackuppro/backup.php` script, specifically in the `comments` and `db` parameters. Attackers could exploit this flaw by crafting a malicious URL and sending it to a victim, allowing them to retrieve the victim's session details.

2. CVE-2024-5414: Another XSS vulnerability is present in the `/phpmybackuppro/get_file.php` script, affecting the `view` parameter. Similar to CVE-2024-5415, attackers could create a specially crafted URL to retrieve a victim's session details.

3. CVE-2024-5413: The third vulnerability is an XSS flaw in the `/phpmybackuppro/scheduled.php` script, which affects all parameters. Attackers could exploit this vulnerability by sending a malicious URL to a victim, potentially exposing their session details.

These vulnerabilities have been assigned a CVSS score of 7.1 (out of 10) and are classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). As of now, no official patches or solutions have been reported by the vendor.

Security professionals and users of PhpMyBackupPro 2.3 are advised to exercise caution and monitor for any updates or patches released by the vendor to address these vulnerabilities. In the meantime, it is recommended to limit access to the affected scripts and parameters, and to implement strict input validation and sanitization measures to mitigate the risks associated with these XSS flaws.

Citations:

[1] https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-phpmybackuppro

[2] https://www.incibe.es/incibe-cert/alerta-temprana/avisos/vulnerabilidad-de-cross-site-scripting-en-phpmybackuppro

[3] https://www.tenable.com/blog/microsofts-may-2024-patch-tuesday-addresses-59-cves-cve-2024-30051-cve-2024-30040

Trending

The Silent Threat in Systems: Two New Vulnerabilities in Tenable Network Monitor

2025 Vulnerabilities in Real Estate Software

Critical Security Vulnerabilities in Dell ControlVault3 Firmware

Remote Code Execution in EV Charging Stations

Server-Side Request Forgery (SSRF) Vulnerability in SmartRobot by INTUMIT

Critical CSRF Vulnerability in Siemens SIMATIC S7-1200 PLCs: Exploitation and Defense

Prisma Access Browser Security Update: Take Action to Address Critical Vulnerabilities

Cross-Site Scripting Vulnerabilities Discovered in PhpMyBackupPro 2.3

Cross-Site Scripting Vulnerabilities Discovered in PhpMyBackupPro 2.3

Post a Comment

İletişim Formu