CVE-2024-50990 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the PHPGurukul Online Marriage Registration System version 1.0. The vulnerability exists in the /omrs/user/search.php script, where the 'searchdata' POST parameter is not properly sanitized or encoded before being reflected in the server's response. This allows an attacker to craft a malicious POST request containing JavaScript code within the 'searchdata' parameter, which, when processed by the server and rendered in the victim's browser, executes arbitrary scripts. Such reflected XSS attacks typically require the victim to interact with a malicious link or submit crafted data, enabling attackers to steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. The CVSS 3.1 score of 6.1 reflects a medium severity, with the vector indicating network attack vector, low attack complexity, no privileges required, but user interaction necessary, and a scope change that affects confidentiality and integrity. No patches or public exploits are currently documented, but the vulnerability is publicly disclosed as of November 11, 2024. The CWE-79 classification confirms this is a classic XSS flaw due to improper input validation and output encoding. This vulnerability highlights the need for secure coding practices in web applications handling user input, especially in government or public service systems like marriage registration portals.

The primary impact of CVE-2024-50990 is on the confidentiality and integrity of user data within the PHPGurukul Online Marriage Registration System. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of authenticated users, leading to session hijacking, theft of sensitive personal information, or unauthorized actions performed on behalf of users. While availability is not directly affected, the breach of user trust and potential data leakage can have significant reputational and operational consequences for organizations managing marriage registration services. Given the nature of the system, which likely handles personally identifiable information (PII), the exposure could also lead to privacy violations and regulatory compliance issues. The requirement for user interaction limits mass exploitation but does not preclude targeted phishing or social engineering campaigns. Organizations worldwide using this software, especially in regions where PHPGurukul products are prevalent, face risks of data compromise and service misuse if the vulnerability remains unaddressed.

To mitigate CVE-2024-50990, organizations should immediately implement proper input validation and output encoding on the 'searchdata' POST parameter within the /omrs/user/search.php endpoint. Specifically, all user-supplied input must be sanitized to remove or encode characters that could be interpreted as executable code in HTML or JavaScript contexts. Employing context-aware output encoding libraries is critical to prevent script injection. Additionally, deploying a robust Content Security Policy (CSP) can help restrict the execution of unauthorized scripts in browsers. Web application firewalls (WAFs) configured to detect and block reflected XSS payloads can provide an additional layer of defense. Organizations should also conduct security code reviews and penetration testing focused on input handling across the application. User awareness training to recognize phishing attempts that might deliver malicious payloads is recommended. Finally, monitoring for unusual user activity and logs can help detect exploitation attempts. Since no official patch is currently available, these compensating controls are essential until a vendor fix is released.