Platform
php
Component
wenqin.webray.com.cn
Fixed in
1.0.1
CVE-2023-7059 is a cross-site scripting (XSS) vulnerability affecting the School Visitor Log e-Book software. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability impacts versions 1.0 through 1.0 of the software, and a patch is available in version 1.0.1.
Successful exploitation of CVE-2023-7059 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the application's interface, and theft of sensitive information such as login credentials or personal data. The attacker could potentially redirect users to phishing sites or install malware. Given the nature of visitor log systems, this could expose information about visitors to the school, potentially impacting privacy and security.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW, suggesting that exploitation may require specific conditions or user interaction. As of the publication date (2023-12-22), there are no reports of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.14% (35% percentile)
CVSS Vector
The primary mitigation for CVE-2023-7059 is to upgrade to version 1.0.1 of the School Visitor Log e-Book. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Full Name' field to prevent the injection of malicious scripts. While a WAF might offer some protection, it's not a substitute for patching the vulnerable software. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into the 'Full Name' field and confirming that it is properly sanitized or rejected.
Update to a patched version or apply a solution that correctly filters and escapes user input in the 'Full Name' field in the log-book.php file to prevent cross site scripting (XSS) injection. Validating and sanitizing user input is crucial to mitigate this type of vulnerability. If a patched version is not available, consider disabling or removing the component.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-7059 is a cross-site scripting vulnerability in School Visitor Log e-Book versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'Full Name' field.
You are affected if you are using School Visitor Log e-Book versions 1.0 through 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 of the School Visitor Log e-Book. As a temporary workaround, implement input validation on the 'Full Name' field.
As of the publication date, there are no confirmed reports of active exploitation campaigns targeting CVE-2023-7059.
Refer to the SourceCodester advisory for details: [https://sourcecodester.com/news/school-visitor-log-ebook-vulnerability](https://sourcecodester.com/news/school-visitor-log-ebook-vulnerability)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.