Platform
php
Component
xss-stored-expense-tracker-app
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Expense Tracker App version 1. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the addcategory.php file, specifically in the handling of the categoryname argument. Affected users should upgrade to version 1.0.1 to mitigate this risk.
Successful exploitation of CVE-2023-5286 allows an attacker to inject arbitrary JavaScript code into the Expense Tracker App. This code can then be executed in the context of a victim's browser when they access a crafted URL. The impact ranges from simple defacement of the application's interface to more severe consequences like stealing session cookies, redirecting users to malicious websites, or even gaining unauthorized access to sensitive data stored within the application. The remote nature of the vulnerability means an attacker doesn't need local access to the server to exploit it.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The exploit is relatively straightforward, making it accessible to a wide range of attackers. While no active exploitation campaigns have been publicly reported as of the publication date, the availability of the vulnerability details and its ease of exploitation suggest that it could become a target. The vulnerability was assigned VDB-240914.
Exploit Status
EPSS
0.10% (27% percentile)
CVSS Vector
The primary mitigation for CVE-2023-5286 is to upgrade to version 1.0.1 of the Expense Tracker App. This version includes a fix for the vulnerable addcategory.php file. If upgrading immediately is not possible, consider implementing input validation and sanitization on the categoryname parameter to prevent the injection of malicious scripts. While a Web Application Firewall (WAF) might offer some protection, it's not a substitute for patching the application. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) into the category name field and confirming that it is properly sanitized or blocked.
Actualice la aplicación Expense Tracker App a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión parcheada disponible, revise y sanitize las entradas del usuario en el archivo add_category.php, especialmente el parámetro category_name, para evitar la inyección de código malicioso. Considere implementar validación y codificación de salida para mitigar el riesgo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5286 is a cross-site scripting (XSS) vulnerability in SourceCodester Expense Tracker App version 1, affecting the addcategory.php file. Attackers can inject malicious scripts via the categoryname parameter.
Yes, if you are using Expense Tracker App version 1, you are vulnerable. Upgrade to version 1.0.1 to resolve the issue.
Upgrade to version 1.0.1 of the Expense Tracker App. If immediate upgrade isn't possible, implement input validation and sanitization on the category_name parameter.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed and relatively easy to exploit, increasing the risk of exploitation.
Refer to the SourceCodester website or their official communication channels for the advisory regarding CVE-2023-5286.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.