CVE-2024-24050 is a medium severity Cross Site Scripting (XSS) vulnerability affecting Sourcecodester Workout Journal App version 1.0. The vulnerability arises from insufficient input validation and output encoding in the /add-user.php script, specifically in the firstname and lastname parameters. An attacker can craft malicious input containing executable JavaScript code that, when processed by the vulnerable endpoint and viewed by other users, executes in their browsers. This can lead to unauthorized actions such as session hijacking, cookie theft, or redirection to malicious sites. The CVSS vector indicates the attack can be performed remotely over the network without privileges but requires user interaction (e.g., clicking a malicious link). The vulnerability impacts data integrity but not confidentiality or availability directly. No patches or mitigations have been officially released, and no active exploitation has been reported. The CWE-79 classification confirms this is a classic reflected or stored XSS issue. This vulnerability highlights the importance of proper input sanitization and output encoding in web applications to prevent script injection attacks.

The primary impact of CVE-2024-24050 is on the integrity of user data and the security of user sessions within the affected application. Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, unauthorized actions on behalf of the user, phishing attacks, or defacement of the web interface. While confidentiality and availability are not directly compromised, the indirect effects of session compromise or phishing can lead to broader security breaches. Organizations using the Workout Journal App may face reputational damage, loss of user trust, and potential compliance issues if user data is manipulated or stolen. Since the vulnerability requires user interaction, the risk can be mitigated somewhat by user awareness, but the widespread use of this app in fitness or health-related environments could make it an attractive target for attackers seeking to exploit trust relationships.

To mitigate CVE-2024-24050, organizations should immediately review and sanitize all user inputs, especially the firstname and lastname parameters in /add-user.php, using robust server-side validation and context-appropriate output encoding to neutralize any injected scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. If possible, disable or restrict the vulnerable functionality until a patch or update is available. Educate users to avoid clicking suspicious links and implement web application firewalls (WAFs) with rules to detect and block XSS payloads targeting this endpoint. Monitor logs for unusual input patterns or error messages that could indicate attempted exploitation. Engage with the vendor or community to obtain or develop patches and apply them promptly once available. Conduct regular security testing, including automated scanning and manual penetration testing, to identify and remediate similar vulnerabilities proactively.