Plattform
php
Komponente
wenqin.webray.com.cn
Behoben in
1.0.1
CVE-2023-7059 is a cross-site scripting (XSS) vulnerability affecting the School Visitor Log e-Book software. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability impacts versions 1.0 through 1.0 of the software, and a patch is available in version 1.0.1.
Successful exploitation of CVE-2023-7059 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the application's interface, and theft of sensitive information such as login credentials or personal data. The attacker could potentially redirect users to phishing sites or install malware. Given the nature of visitor log systems, this could expose information about visitors to the school, potentially impacting privacy and security.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW, suggesting that exploitation may require specific conditions or user interaction. As of the publication date (2023-12-22), there are no reports of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog.
Schools and educational institutions utilizing the School Visitor Log e-Book software, particularly those running versions 1.0 through 1.0, are at risk. Shared hosting environments where multiple users share the same server resources could amplify the impact if one user's account is compromised.
• php / web:
grep -r "log-book.php" /var/www/html/*• php / web:
curl -I http://your-school-visitor-log-url/log-book.php?Full Name=<script>alert('XSS')</script>disclosure
Exploit-Status
EPSS
0.14% (35% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2023-7059 is to upgrade to version 1.0.1 of the School Visitor Log e-Book. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Full Name' field to prevent the injection of malicious scripts. While a WAF might offer some protection, it's not a substitute for patching the vulnerable software. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into the 'Full Name' field and confirming that it is properly sanitized or rejected.
Actualizar a una versión parcheada o aplicar una solución que filtre y escape correctamente la entrada del usuario en el campo 'Full Name' en el archivo log-book.php para prevenir la inyección de código XSS. Validar y limpiar las entradas del usuario es crucial para mitigar este tipo de vulnerabilidades. Si no hay una versión parcheada disponible, considere deshabilitar o eliminar el componente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2023-7059 is a cross-site scripting vulnerability in School Visitor Log e-Book versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'Full Name' field.
You are affected if you are using School Visitor Log e-Book versions 1.0 through 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 of the School Visitor Log e-Book. As a temporary workaround, implement input validation on the 'Full Name' field.
As of the publication date, there are no confirmed reports of active exploitation campaigns targeting CVE-2023-7059.
Refer to the SourceCodester advisory for details: [https://sourcecodester.com/news/school-visitor-log-ebook-vulnerability](https://sourcecodester.com/news/school-visitor-log-ebook-vulnerability)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.