Platform
php
Component
cve_hub
Fixed in
1.0.1
CVE-2023-5695 is a cross-site scripting (XSS) vulnerability affecting CodeAstro Internet Banking System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the system, potentially leading to session hijacking or defacement. A fix is available in version 1.0.1, and the vulnerability has been publicly disclosed.
The XSS vulnerability in CodeAstro Internet Banking System allows an attacker to inject arbitrary JavaScript code into the application. By manipulating the 'email' parameter in the pagesresetpwd.php file, an attacker can craft a malicious URL containing JavaScript payloads. When a user clicks on this crafted URL, the injected script executes within their browser context, with the privileges of the user. This could lead to the attacker stealing session cookies, redirecting the user to a phishing site, or modifying the content of the page. Given the sensitive nature of internet banking systems, successful exploitation could result in unauthorized access to user accounts and financial data. The public disclosure of this vulnerability significantly increases the risk of exploitation.
CVE-2023-5695 has been publicly disclosed and is considered potentially exploitable due to the availability of information about the vulnerability. The vulnerability identifier VDB-243133 has been assigned. The exploit is relatively straightforward, involving manipulation of the email parameter, which lowers the barrier to entry for attackers. No active exploitation campaigns have been publicly confirmed as of the last update, but the public disclosure increases the likelihood of future attacks.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2023-5695 is to immediately upgrade CodeAstro Internet Banking System to version 1.0.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the email parameter in pagesresetpwd.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies to prevent similar vulnerabilities in the future.
Update to a patched version or implement robust input validation and sanitization, especially of the 'email' parameter in the pages_reset_pwd.php file. Escape HTML output to prevent malicious script execution. Consider using a security framework to mitigate XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5695 is a cross-site scripting (XSS) vulnerability in CodeAstro Internet Banking System versions 1.0-1.0, allowing attackers to inject malicious scripts via the email parameter in pagesresetpwd.php.
Yes, if you are using CodeAstro Internet Banking System versions 1.0 through 1.0, you are affected by this vulnerability.
Upgrade to version 1.0.1 or later. As a temporary measure, implement input validation and output encoding on the email parameter in pagesresetpwd.php.
While no active exploitation campaigns have been publicly confirmed, the vulnerability is publicly disclosed and potentially exploitable.
Refer to the vendor's advisory for specific details and updates regarding CVE-2023-5695.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.