CVE-2023-5793 is a cross-site scripting (XSS) vulnerability discovered in flusity CMS. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The issue resides within the loadCustomBlocCreateForm function of the customblock.php file in the Dashboard component. Due to the lack of versioning in flusity CMS, affected and unaffected releases are unavailable. A patch is available to address this issue.
Successful exploitation of CVE-2023-5793 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious actions, including stealing user credentials, redirecting users to phishing sites, or modifying the content of the website. The vulnerability is remotely exploitable, meaning an attacker does not need to be authenticated to exploit it. Given the nature of XSS vulnerabilities, the potential impact can range from minor defacement to complete compromise of user accounts and data. The lack of versioning makes it difficult to determine the precise scope of affected installations, increasing the overall risk.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. There is no indication of it being listed on KEV or having an EPSS score. Public proof-of-concept exploits are likely to emerge given the ease of exploitation associated with XSS vulnerabilities. The CVE was published on 2023-10-26.
Exploit Status
EPSS
0.06% (20% percentile)
CVSS Vector
The primary mitigation for CVE-2023-5793 is to apply the provided patch: 81252bc764e1de2422e79e36194bba1289e7a0a5. Since flusity CMS lacks versioning, applying this patch is the only known remediation. Consider implementing a Web Application Firewall (WAF) with XSS filtering rules as an additional layer of defense. Regularly review and sanitize user input to prevent future XSS vulnerabilities. After applying the patch, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) through the custom block creation form and confirming that the script is not executed.
Se recomienda aplicar el parche 81252bc764e1de2422e79e36194bba1289e7a0a5 proporcionado por el proveedor para corregir la vulnerabilidad XSS en el dashboard. Descargue el parche desde el repositorio oficial y aplíquelo siguiendo las instrucciones del proveedor. Verifique que la versión parcheada esté en funcionamiento para evitar futuros ataques.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5793 is a cross-site scripting vulnerability in flusity CMS that allows attackers to inject malicious scripts. It affects the loadCustomBlocCreateForm function and can be exploited remotely.
Due to the lack of versioning in flusity CMS, all installations are potentially affected by CVE-2023-5793 until the provided patch is applied.
Apply the patch 81252bc764e1de2422e79e36194bba1289e7a0a5. This is the only known remediation for this vulnerability.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Active exploitation has not been confirmed, but it is a high probability.
Refer to the CVE entry on the NVD website for details: https://nvd.nist.gov/vuln/detail/CVE-2023-5793
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.