{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-51223", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T16:50:34.560Z", "dateReserved": "2024-10-28T00:00:00.000Z", "datePublished": "2026-03-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T15:23:52.794Z"}, "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Mobile Number parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Buckdray/vulnerability-research"}, {"url": "https://github.com/Buckdray/vulnerability-research/tree/main/CVE-2024-51223"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:50:32.041950Z", "id": "CVE-2024-51223", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:50:34.560Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-51223", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:50:32.041950Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:50:26.549Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Buckdray/vulnerability-research"}, {"url": "https://github.com/Buckdray/vulnerability-research/tree/main/CVE-2024-51223"}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Mobile Number parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T15:23:52.794Z"}}}, "cveMetadata": {"cveId": "CVE-2024-51223", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:50:34.560Z", "dateReserved": "2024-10-28T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:vehicle_record_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6AE144F-2A5F-4F48-899F-732293FA1DB6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Mobile Number parameter."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado en el componente /admin/profile.php de Phpgurukul Vehicle Record Management System v1.0 permite a los atacantes ejecutar scripts web o HTML arbitrarios mediante la inyecci\u00f3n de una carga \u00fatil manipulada en el par\u00e1metro Mobile Number."}], "id": "CVE-2024-51223", "lastModified": "2026-03-24T18:13:43.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-23T16:16:31.597", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/Buckdray/vulnerability-research"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/Buckdray/vulnerability-research/tree/main/CVE-2024-51223"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "vehicle_record_management_system", "vendor": "phpgurukul"}], "analysis": {"en": {"generated_at": "2026-03-24T19:53:14.653891+00:00", "value": {"mitigation_remediation": ["Check for an official vendor patch or newer release and apply it immediately", "Sanitize and validate the Mobile Number input field on the server side to reject non\u2011numeric or unsafe characters", "When rendering the Mobile Number value in the browser, apply context\u2011appropriate output encoding (e.g., HTML or JavaScript encoding) to neutralize any embedded scripts"], "summary": {"action": "Assess Impact", "impact": "Client\u2011side XSS"}, "threat_synthesis": {"affected_systems": "Phpgurukul Vehicle Record Management System version 1.0 is affected. The flaw is located in the admin profile module accessible at /admin/profile.php. No vendor\u2011supplied patch or newer release is referenced in the available data.", "description_and_impact": "A stored Cross\u2011Site Scripting flaw resides in the Mobile Number input of the /admin/profile.php page of Phpgurukul Vehicle Record Management System v1.0. By injecting a crafted payload into this field, malicious code can be stored and later served to users who view or edit the profile. The vulnerability allows execution of arbitrary web scripts or HTML in the context of other users, which can lead to session hijacking, defacement, or theft of sensitive data displayed by the application, without granting attacker control over the server itself. This weakness is rooted in improper input handling and output encoding (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 4.8 places the issue in the medium range, while an EPSS score below 1\u202f% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating limited public exploitation. Based on the description, it is inferred that attackers would need to reach the /admin/profile.php endpoint and submit a malicious Mobile Number value, implying that authenticated access or the ability to trick a legitimate administrator is likely required. The attack vector is a web form input, requiring moderate effort and possibly user interaction to trigger the malicious payload."}}}}, "created": "2026-03-24T10:35:07.535698+00:00", "title": "Stored Cross\u2011Site Scripting in Admin Profile Mobile Number Field", "updated": "2026-03-25T14:50:16.788558+00:00", "vendors": ["phpgurukul", "phpgurukul$PRODUCT$vehicle_record_management_system"]}