CVE-2024-45984 identifies a Cross Site Scripting (XSS) vulnerability in the add_donor.php script of the Blood Bank And Donation Management System version 1.0. XSS vulnerabilities occur when an application does not properly sanitize user-supplied input, allowing attackers to inject malicious client-side scripts into web pages viewed by other users. In this case, the vulnerability exists in the donor addition functionality, where input fields are insufficiently validated or escaped before being rendered in the Donor List view. When a victim user accesses the Donor List page, the injected script executes within their browser context, potentially allowing attackers to perform actions such as stealing session cookies, redirecting users to malicious sites, or displaying fraudulent content. The vulnerability is remotely exploitable over the network without requiring authentication, but it does require the victim to interact by viewing the affected page. The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, no confidentiality impact, low integrity impact, and no availability impact. The vulnerability is cataloged under CWE-79, which covers improper neutralization of input leading to XSS. As of now, no patches or official fixes have been released, and no active exploitation has been reported. This vulnerability poses a risk primarily to organizations using this specific blood bank management software, especially those who allow multiple users to access donor data via web interfaces.

The primary impact of CVE-2024-45984 is the potential for attackers to execute arbitrary scripts in the browsers of users viewing the Donor List page. This can lead to integrity issues such as unauthorized actions performed on behalf of the user, session hijacking, or phishing attacks via malicious redirects or content injection. Although confidentiality and availability are not directly affected, the compromise of user sessions or manipulation of displayed data can undermine trust and operational security. For healthcare organizations and blood banks, this could result in unauthorized disclosure of sensitive donor information indirectly through session theft or social engineering, damage to reputation, and potential regulatory compliance issues. The vulnerability's medium severity and requirement for user interaction limit its impact scope but do not eliminate the risk, especially in environments with many users or public-facing interfaces. The absence of known exploits in the wild reduces immediate risk but also highlights the need for proactive mitigation before attackers develop weaponized payloads.

To mitigate CVE-2024-45984, organizations should implement strict input validation and output encoding on all user-supplied data fields within add_donor.php and related components. Specifically, applying context-aware HTML entity encoding or JavaScript escaping when rendering donor data in the Donor List view will prevent script injection. Employing Content Security Policy (CSP) headers can further reduce the impact by restricting the execution of inline scripts and loading of untrusted resources. Until an official patch is released, consider restricting access to the affected pages to trusted users only and monitoring web logs for suspicious input patterns indicative of attempted XSS attacks. Additionally, educating users to recognize phishing attempts and suspicious page behavior can reduce successful exploitation. Regularly updating the Blood Bank And Donation Management System when patches become available is critical. Finally, conducting security code reviews and penetration testing focused on input handling will help identify and remediate similar vulnerabilities.