Plattform
php
Komponente
vulndis
Behoben in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester User Registration and Login System versions 1.0 through 1.0. This vulnerability resides within the /endpoint/add-user.php file and allows attackers to inject malicious scripts by manipulating the 'first_name' argument. The vulnerability is remotely exploitable and has been publicly disclosed, requiring immediate attention to prevent potential compromise. A patch is available in version 1.0.1.
Successful exploitation of CVE-2023-6463 allows an attacker to inject arbitrary JavaScript code into the application. This can lead to various malicious outcomes, including session hijacking, phishing attacks, and defacement of the user interface. An attacker could potentially steal user credentials or redirect users to malicious websites. The impact is amplified if the application is used to manage sensitive user data or integrates with other critical systems. While the CVSS score is LOW, the ease of exploitation and potential for user compromise necessitate prompt remediation.
This vulnerability was publicly disclosed on 2023-12-01 and assigned the VDB identifier VDB-246613. The ease of exploitation, coupled with the public disclosure, increases the likelihood of exploitation attempts. No active exploitation campaigns have been publicly confirmed at the time of this writing, but the availability of a public proof-of-concept suggests that exploitation is possible. The EPSS score is likely medium, reflecting the public disclosure and ease of exploitation.
Organizations utilizing SourceCodester User Registration and Login System in their applications, particularly those with limited security controls or legacy configurations, are at risk. Shared hosting environments where multiple users share the same server and application instance are also particularly vulnerable, as a compromise of one user account could potentially impact others.
• php: Examine the /endpoint/add-user.php file for unsanitized input handling of the 'firstname' parameter. Search for patterns like echo $POST['first_name'] without proper escaping.
// Example of vulnerable code
echo $_POST['first_name'];• generic web: Monitor access logs for requests to /endpoint/add-user.php with unusual or suspicious values in the 'first_name' parameter (e.g., containing <script> tags or event handlers).
• generic web: Check response HTML for unexpected JavaScript code execution, particularly within elements related to user input fields.
disclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2023-6463 is to upgrade to version 1.0.1 of SourceCodester User Registration and Login System. This version includes a fix that addresses the vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'first_name' parameter within the /endpoint/add-user.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update input validation routines to prevent similar vulnerabilities in the future.
Actualice el sistema User Registration and Login System a una versión parcheada o aplique las correcciones de seguridad proporcionadas por el proveedor. Desinfecte las entradas del usuario, especialmente el campo `first_name`, para evitar la ejecución de código XSS. Implemente validación y codificación de datos en el lado del servidor para mitigar el riesgo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2023-6463 is a cross-site scripting (XSS) vulnerability in SourceCodester User Registration and Login System versions 1.0–1.0, allowing attackers to inject malicious scripts via the /endpoint/add-user.php file.
You are affected if you are using SourceCodester User Registration and Login System versions 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'first_name' parameter in /endpoint/add-user.php.
While no active exploitation campaigns have been confirmed, the public disclosure and availability of a proof-of-concept suggest exploitation is possible.
Refer to the SourceCodester website or relevant security advisories for the official advisory regarding CVE-2023-6463.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.