Plattform
php
Komponente
online-quiz-system
Behoben in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Quiz System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts by manipulating the quiztaker/yearsection parameter within the take-quiz.php file. The vulnerability is remotely exploitable and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of CVE-2023-6473 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online Quiz System. This could lead to session hijacking, credential theft, defacement of the quiz interface, or redirection to malicious websites. The attacker could potentially gain access to sensitive user data, such as quiz answers or personal information stored within the system. The impact is amplified if the quiz system is used in a sensitive environment, such as an educational institution or a corporate training program.
This vulnerability has been publicly disclosed and is tracked by VDB-246639. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. Public proof-of-concept exploits may become available, increasing the risk of widespread exploitation. No active campaigns have been reported at the time of this writing, but monitoring is recommended.
Organizations and individuals using SourceCodester Online Quiz System versions 1.0 through 1.0 are at risk. This includes educational institutions, training providers, and any entity utilizing the system for online quizzes or assessments. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially compromise other users' accounts.
• php / web:
curl -I 'http://your-quiz-system.com/take-quiz.php?quiz_taker/year_section=<script>alert(1)</script>' | grep HTTP/1.1• generic web:
grep -i 'quiz_taker/year_section=' /var/log/apache2/access.logdisclosure
patch
Exploit-Status
EPSS
0.08% (24% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2023-6473 is to upgrade to version 1.0.1 of the Online Quiz System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the quiztaker/yearsection parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS attacks can provide an additional layer of protection. Regularly review and update the Online Quiz System to ensure you are running the latest version with the latest security patches.
Actualizar a una versión parcheada o aplicar una solución que filtre y escape correctamente las entradas de usuario en el archivo `take-quiz.php`, especialmente los parámetros `quiz_taker` y `year_section`. Validar y limpiar las entradas antes de usarlas en la salida HTML para prevenir la inyección de código malicioso. Si no hay una versión parcheada disponible, considere deshabilitar o eliminar la funcionalidad vulnerable.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2023-6473 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Quiz System versions 1.0–1.0, allowing attackers to inject malicious scripts via the quiztaker/yearsection parameter.
You are affected if you are using SourceCodester Online Quiz System versions 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 of the Online Quiz System. As a temporary workaround, implement input validation and sanitization on the quiztaker/yearsection parameter.
While no active campaigns have been reported, the vulnerability is publicly disclosed and potentially exploitable, so monitoring is recommended.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2023-6473.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.