Platform
php
Component
online-motorcycle-rental-system
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Motorcycle Rental System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides in the /admin/?page=bike file, specifically within the handling of the Model parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2023-5585 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as session cookies, which can then be used to impersonate the user and gain unauthorized access to the administrative panel. An attacker could also deface the website or redirect users to malicious sites. The impact is particularly severe for administrators, as their accounts could be compromised, granting the attacker full control over the motorcycle rental system.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is 2.4 (LOW), indicating a limited impact. It is not currently listed on CISA KEV. The vulnerability's location within the administrative interface suggests that exploitation would likely require an attacker to have some level of access to the system, or be able to trick an administrator into clicking a malicious link.
Exploit Status
EPSS
0.04% (14% percentile)
CVSS Vector
The primary mitigation for CVE-2023-5585 is to upgrade to version 1.0.1 of the Online Motorcycle Rental System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Model parameter in the /admin/?page=bike file. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script (e.g., <script>alert('XSS')</script>) in the Model parameter and verifying that the script does not execute.
Update the Online Motorcycle Rental System to a patched version or apply the necessary security measures to prevent the injection of malicious code into the 'Model' field. Validate and escape user inputs to prevent XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5585 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Motorcycle Rental System versions 1.0–1.0, allowing attackers to inject malicious scripts.
You are affected if you are running SourceCodester Online Motorcycle Rental System version 1.0 or 1.0. Check your version and upgrade immediately.
Upgrade to version 1.0.1. If upgrading is not possible, implement input validation and output encoding on the Model parameter.
While exploitation is possible due to public disclosure, there are no confirmed reports of active exploitation at this time.
Refer to the SourceCodester website or their official communication channels for the advisory regarding CVE-2023-5585.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.