By combining AI with human insight, Armis Vulnerability Intelligence Database offers extended coverage for vulnerabilities that matter to you, your industry, and provides you with clear remediation instructions.
Loading CVE list…
CVE Name
Severity Score
Published Date
CISA KEV
Take These Insights to the Next Level
Armis now offers direct API access to Armis Vulnerability Intelligence Database through the AWS Marketplace, transforming it from a powerful research tool into an integrated component of your proactive security posture.
Seamless Integration: Directly feed Armis's contextual data into your existing stack.
Automated Workflows: Automate vulnerability lookups in real-time.
Custom Solutions: Use the raw data to build custom dashboards, reports, alerts.
See everything.Identify true risk.Proactively mitigate threats.Book a Demo
Let's talk!
CVE-2024-0650:
Loading CVE details…
CVE-2024-0650 | Medium Severity | Armis
, an attacker can execute arbitrary JavaScript in a victim’s browser remotely.\n","articleBody":"Cross-Site Scripting (CWE-79) vulnerability in Project Worlds Visitor Management System 1.0, exposed via the dataset.php file in the URL Handler. By manipulating the name parameter with input such as \">, an attacker can execute arbitrary JavaScript in a victim’s browser remotely.\n\n\nCVE-2024-0650 is a medium-severity, reflected cross-site scripting flaw in the Project Worlds Visitor Management System 1.0, located in the dataset.php file of the URL Handler. It allows remote attackers to inject and execute malicious scripts by supplying unsanitized input for the name parameter, with the payload demonstrated as an injected script. The vulnerability is exploitable without authentication and has been publicly disclosed, with CVSS metrics indicating client-side impact through compromised script execution.\n","datePublished":"2024-01-18T00:15:38.000Z","dateModified":"2026-05-13T09:04:19.260Z","keywords":"Medium, 2024, CVE, vulnerability, cybersecurity, CVSS","url":"https://cve.armis.com/CVE-2024-0650","author":{"@type":"Organization","name":"Armis","url":"https://www.armis.com"},"publisher":{"@type":"Organization","name":"Armis","url":"https://www.armis.com"},"license":"https://creativecommons.org/licenses/by-nc-sa/4.0/","isBasedOn":{"@type":"WebPage","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0650","name":"NVD CVE-2024-0650"},"additionalProperty":[{"@type":"PropertyValue","name":"CVSS Score","value":"6.1"},{"@type":"PropertyValue","name":"Severity","value":"Medium"},{"@type":"PropertyValue","name":"EPSS Score","value":"0.09%"},{"@type":"PropertyValue","name":"EPSS Percentile","value":"25th"},{"@type":"PropertyValue","name":"Attack Vector","value":"NETWORK"},{"@type":"PropertyValue","name":"Attack Complexity","value":"LOW"},{"@type":"PropertyValue","name":"Privileges Required","value":"NONE"},{"@type":"PropertyValue","name":"User Interaction","value":"REQUIRED"},{"@type":"PropertyValue","name":"Scope","value":"CHANGED"},{"@type":"PropertyValue","name":"Confidentiality Impact","value":"LOW"},{"@type":"PropertyValue","name":"Integrity Impact","value":"LOW"},{"@type":"PropertyValue","name":"Availability Impact","value":"NONE"}]},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is CVE-2024-0650?","acceptedAnswer":{"@type":"Answer","text":"Cross-Site Scripting (CWE-79) vulnerability in Project Worlds Visitor Management System 1.0, exposed via the dataset.php file in the URL Handler. By manipulating the name parameter with input such as \">, an attacker can execute arbitrary JavaScript in a victim’s browser remotely.\n"}},{"@type":"Question","name":"How severe is CVE-2024-0650?","acceptedAnswer":{"@type":"Answer","text":"CVE-2024-0650 has a CVSS score of 6.1 (Medium severity). EPSS score: 0.09% (25th percentile), indicating the estimated probability of exploitation in the wild."}},{"@type":"Question","name":"How do I fix CVE-2024-0650?","acceptedAnswer":{"@type":"Answer","text":"- Validate and sanitize all user-supplied input in dataset.php, especially the name parameter, on the server side.\n- Apply proper HTML context escaping/output encoding when reflecting input back to the page (use context-aware escaping for HTML content and attributes).\n- Implement an allowlist (whitelist) for acceptable characters for the name parameter to reject suspicious payloads.\n- Enforce a robust Content Security Policy (CSP) to mitigate the impact of potential XSS and restrict inline scripts.\n- Consider upgrading to a patched version or applying vendor-provided security fixes if available; if no patch exists, implement mitigations such as input validation, output encoding, and restricted inputs.\n- Deploy a Web Application Firewall (WAF) rule set that detects and blocks common XSS payloads targeting dataset.php.\n- Conduct thorough testing with known XSS payloads and automated scanners to verify that input is properly sanitized and encoded.\n- Improve logging and monitoring for dataset.php to detect any unusual or malicious input patterns.\n"}}]},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://cve.armis.com/"},{"@type":"ListItem","position":2,"name":"CVE-2024-0650","item":"https://cve.armis.com/CVE-2024-0650"}]}]
CVE-2024-0650:
Cross-Site Scripting (CWE-79) vulnerability in Project Worlds Visitor Management System 1.0, exposed via the dataset.php file in the URL Handler. By manipulating the name parameter with input such as ">alert('torada'), an attacker can execute arbitrary JavaScript in a victim’s browser remotely.
Score
A numerical rating that indicates how dangerous this vulnerability is.
6.1Medium
Published Date:Jan 18, 2024
CISA KEV Date:*No Data*
Industries Affected:20
Threat Predictions
EPSS Score:0.1
EPSS Percentile:25%
Exploitability
Score:2.8
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:
NONE
User Interaction:REQUIRED
Scope:CHANGED
Impact
Score:2.7
Confidentiality Impact:LOW
Integrity Impact:LOW
Availability Impact:NONE
Description Preview
Cross-Site Scripting (CWE-79) vulnerability in Project Worlds Visitor Management System 1.0, exposed via the dataset.php file in the URL Handler. By manipulating the name parameter with input such as ">alert('torada'), an attacker can execute arbitrary JavaScript in a victim’s browser remotely.
Overview
CVE-2024-0650 is a medium-severity, reflected cross-site scripting flaw in the Project Worlds Visitor Management System 1.0, located in the dataset.php file of the URL Handler. It allows remote attackers to inject and execute malicious scripts by supplying unsanitized input for the name parameter, with the payload demonstrated as an injected script. The vulnerability is exploitable without authentication and has been publicly disclosed, with CVSS metrics indicating client-side impact through compromised script execution.
Remediation
Validate and sanitize all user-supplied input in dataset.php, especially the name parameter, on the server side.
Apply proper HTML context escaping/output encoding when reflecting input back to the page (use context-aware escaping for HTML content and attributes).
Implement an allowlist (whitelist) for acceptable characters for the name parameter to reject suspicious payloads.
Enforce a robust Content Security Policy (CSP) to mitigate the impact of potential XSS and restrict inline scripts.
Consider upgrading to a patched version or applying vendor-provided security fixes if available; if no patch exists, implement mitigations such as input validation, output encoding, and restricted inputs.
Deploy a Web Application Firewall (WAF) rule set that detects and blocks common XSS payloads targeting dataset.php.
Conduct thorough testing with known XSS payloads and automated scanners to verify that input is properly sanitized and encoded.
Improve logging and monitoring for dataset.php to detect any unusual or malicious input patterns.
