LiveActive security incident?Get immediate response
CVE Record

CVE-2020-24194: A Cross-site scripting (XSS) vulnerability in 'user-profile.php' in SourceCodester Daily Tracker System v1....

A Cross-site scripting (XSS) vulnerability in 'user-profile.php' in SourceCodester Daily Tracker System v1.0 allows remote attackers to inject arbitrary web script or HTML via the 'fullname' parameter.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2020-24194 is a cross-site scripting issue in SourceCodester Daily Tracker System v1.0. A remote attacker could place script or HTML through the profile full name field, potentially affecting users who view the profile page. No active exploitation is indicated in the provided sources.

Executive priority

Treat as a targeted application risk. Prioritize if the system is internet-facing, handles sensitive user sessions, or allows broad user registration. Otherwise, address during routine web application remediation.

Technical view

The vulnerability is reported in user-profile.php and involves improper handling of the fullname parameter, allowing arbitrary web script or HTML injection. The source bundle provides no CVSS score, CWE mapping, patch version, or detailed vendor remediation. CISA KEV status is false.

Likely exposure

Exposure is likely limited to organizations running SourceCodester Daily Tracker System v1.0, especially internet-accessible or shared internal deployments where untrusted users can edit profile details.

Exploitation context

The issue is publicly disclosed and remotely reachable through application functionality. The provided sources do not support claims of active exploitation, widespread targeting, or automated exploitation.

Researcher notes

Evidence is sparse. The CVE description names the vulnerable file and parameter, but the bundle lacks CVSS, affected CPEs, CWE, and vendor patch details. Avoid assuming affected versions beyond v1.0.

Mitigation direction

  • Identify whether SourceCodester Daily Tracker System v1.0 is deployed.
  • Check SourceCodester or project guidance for an official fix or update.
  • Apply output encoding and input validation for profile fields.
  • Restrict profile editing to trusted users until remediated.
  • Consider retiring the application if no maintained fix exists.

Validation and detection

  • Inventory web applications for Daily Tracker System v1.0.
  • Review user-profile.php handling of the fullname parameter.
  • Confirm profile values are safely encoded before rendering.
  • Test only with benign markers in an authorized environment.
  • Review logs for unexpected profile field changes.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2020-24194 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
2Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.