Platform
php
Component
fotoscms2
Fixed in
2.4.1
2.4.2
2.4.3
2.4.4
CVE-2023-5837 is a problematic cross-site scripting (XSS) vulnerability affecting FotosCMS2 content management systems. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability impacts versions 2.4.0 through 2.4.3, and a fix is available in version 2.4.4.
Successful exploitation of CVE-2023-5837 allows an attacker to inject arbitrary JavaScript code into the FotosCMS2 application. This can lead to session hijacking, phishing attacks, defacement of the website, or the theft of sensitive user data, such as login credentials and personal information. The attacker can potentially execute malicious code in the context of a user's browser, gaining unauthorized access to their account and performing actions on their behalf. Given the nature of XSS, the blast radius extends to all users who interact with the affected page, particularly those who log in or submit data.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant prompt attention. No known active campaigns targeting this specific CVE have been reported as of the publication date. The vulnerability has been added to the VulnDB with identifier VDB-243802.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2023-5837 is to upgrade FotosCMS2 to version 2.4.4 or later, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the username parameter in profile.php to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting this specific vulnerability. Regularly review and update your security policies and procedures to prevent similar vulnerabilities from arising.
Update FotosCMS2 to a version later than 2.4.3 to fix the XSS vulnerability in the profile.php file. If updating is not possible, review and filter the inputs of the 'username' parameter in profile.php to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5837 is a cross-site scripting (XSS) vulnerability in FotosCMS2 versions 2.4.0–2.4.3, allowing attackers to inject malicious scripts.
You are affected if you are using FotosCMS2 versions 2.4.0 through 2.4.3. Upgrade to 2.4.4 or later to mitigate the risk.
Upgrade FotosCMS2 to version 2.4.4 or later. As a temporary workaround, implement input validation and output encoding on the username parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed and a proof-of-concept may be available, so vigilance is advised.
Refer to the FotosCMS2 project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.