Platform
php
Component
vulndis
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester User Registration and Login System versions 1.0 through 1.0. This vulnerability resides within the /endpoint/add-user.php file and allows attackers to inject malicious scripts by manipulating the 'first_name' argument. The vulnerability is remotely exploitable and has been publicly disclosed, requiring immediate attention to prevent potential compromise. A patch is available in version 1.0.1.
Successful exploitation of CVE-2023-6463 allows an attacker to inject arbitrary JavaScript code into the application. This can lead to various malicious outcomes, including session hijacking, phishing attacks, and defacement of the user interface. An attacker could potentially steal user credentials or redirect users to malicious websites. The impact is amplified if the application is used to manage sensitive user data or integrates with other critical systems. While the CVSS score is LOW, the ease of exploitation and potential for user compromise necessitate prompt remediation.
This vulnerability was publicly disclosed on 2023-12-01 and assigned the VDB identifier VDB-246613. The ease of exploitation, coupled with the public disclosure, increases the likelihood of exploitation attempts. No active exploitation campaigns have been publicly confirmed at the time of this writing, but the availability of a public proof-of-concept suggests that exploitation is possible. The EPSS score is likely medium, reflecting the public disclosure and ease of exploitation.
Exploit Status
EPSS
0.08% (24% percentile)
CVSS Vector
The primary mitigation for CVE-2023-6463 is to upgrade to version 1.0.1 of SourceCodester User Registration and Login System. This version includes a fix that addresses the vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'first_name' parameter within the /endpoint/add-user.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update input validation routines to prevent similar vulnerabilities in the future.
Update the User Registration and Login System to a patched version or apply the security fixes provided by the vendor. Sanitize user inputs, especially the `first_name` field, to prevent XSS code execution. Implement data validation and encoding on the server-side to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-6463 is a cross-site scripting (XSS) vulnerability in SourceCodester User Registration and Login System versions 1.0–1.0, allowing attackers to inject malicious scripts via the /endpoint/add-user.php file.
You are affected if you are using SourceCodester User Registration and Login System versions 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'first_name' parameter in /endpoint/add-user.php.
While no active exploitation campaigns have been confirmed, the public disclosure and availability of a proof-of-concept suggest exploitation is possible.
Refer to the SourceCodester website or relevant security advisories for the official advisory regarding CVE-2023-6463.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.