CVE-2020-24194: A Cross-site scripting (XSS) vulnerability in 'user-profile.php' in SourceCodester Daily Tracker System v1....
A Cross-site scripting (XSS) vulnerability in 'user-profile.php' in SourceCodester Daily Tracker System v1.0 allows remote attackers to inject arbitrary web script or HTML via the 'fullname' parameter.
Security readout for executives and security teams
Plain-English summary
CVE-2020-24194 is a cross-site scripting issue in SourceCodester Daily Tracker System v1.0. A remote attacker could place script or HTML through the profile full name field, potentially affecting users who view the profile page. No active exploitation is indicated in the provided sources.
Executive priority
Treat as a targeted application risk. Prioritize if the system is internet-facing, handles sensitive user sessions, or allows broad user registration. Otherwise, address during routine web application remediation.
Technical view
The vulnerability is reported in user-profile.php and involves improper handling of the fullname parameter, allowing arbitrary web script or HTML injection. The source bundle provides no CVSS score, CWE mapping, patch version, or detailed vendor remediation. CISA KEV status is false.
Likely exposure
Exposure is likely limited to organizations running SourceCodester Daily Tracker System v1.0, especially internet-accessible or shared internal deployments where untrusted users can edit profile details.
Exploitation context
The issue is publicly disclosed and remotely reachable through application functionality. The provided sources do not support claims of active exploitation, widespread targeting, or automated exploitation.
Researcher notes
Evidence is sparse. The CVE description names the vulnerable file and parameter, but the bundle lacks CVSS, affected CPEs, CWE, and vendor patch details. Avoid assuming affected versions beyond v1.0.
Mitigation direction
Identify whether SourceCodester Daily Tracker System v1.0 is deployed.
Check SourceCodester or project guidance for an official fix or update.
Apply output encoding and input validation for profile fields.
Restrict profile editing to trusted users until remediated.
Consider retiring the application if no maintained fix exists.
Validation and detection
Inventory web applications for Daily Tracker System v1.0.
Review user-profile.php handling of the fullname parameter.
Confirm profile values are safely encoded before rendering.
Test only with benign markers in an authorized environment.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2020-24194 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
2Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Sep 9, 2020, 13:59 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.