Platform
php
Component
online-quiz-system
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Quiz System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts by manipulating the quiztaker/yearsection parameter within the take-quiz.php file. The vulnerability is remotely exploitable and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of CVE-2023-6473 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online Quiz System. This could lead to session hijacking, credential theft, defacement of the quiz interface, or redirection to malicious websites. The attacker could potentially gain access to sensitive user data, such as quiz answers or personal information stored within the system. The impact is amplified if the quiz system is used in a sensitive environment, such as an educational institution or a corporate training program.
This vulnerability has been publicly disclosed and is tracked by VDB-246639. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. Public proof-of-concept exploits may become available, increasing the risk of widespread exploitation. No active campaigns have been reported at the time of this writing, but monitoring is recommended.
Exploit Status
EPSS
0.08% (24% percentile)
CVSS Vector
The primary mitigation for CVE-2023-6473 is to upgrade to version 1.0.1 of the Online Quiz System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the quiztaker/yearsection parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS attacks can provide an additional layer of protection. Regularly review and update the Online Quiz System to ensure you are running the latest version with the latest security patches.
Update to a patched version or apply a solution that correctly filters and escapes user inputs in the `take-quiz.php` file, especially the `quiz_taker` and `year_section` parameters. Validate and sanitize inputs before using them in HTML output to prevent malicious code injection. If a patched version is not available, consider disabling or removing the vulnerable functionality.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-6473 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Quiz System versions 1.0–1.0, allowing attackers to inject malicious scripts via the quiztaker/yearsection parameter.
You are affected if you are using SourceCodester Online Quiz System versions 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 of the Online Quiz System. As a temporary workaround, implement input validation and sanitization on the quiztaker/yearsection parameter.
While no active campaigns have been reported, the vulnerability is publicly disclosed and potentially exploitable, so monitoring is recommended.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2023-6473.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.