Platform
php
Component
myaac
Fixed in
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11
0.8.12
0.8.13
0.8.14
CVE-2023-7076 is a cross-site scripting (XSS) vulnerability affecting MyAAC versions 0.8.0 through 0.8.13. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides in the file system/pages/bugtracker.php and is triggered by manipulating specific parameters. An upgrade to version 0.8.14 is available to address this issue.
Successful exploitation of CVE-2023-7076 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious outcomes, including stealing user credentials, redirecting users to phishing sites, or modifying the content of the web page. The impact is amplified if the application handles sensitive data or is integrated with other systems. An attacker could potentially gain access to user accounts and perform actions on their behalf, leading to data breaches and reputational damage. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant immediate attention.
CVE-2023-7076 is not currently listed on KEV. The EPSS score is likely low given the CVSS score and the availability of a straightforward patch. Public proof-of-concept (PoC) code is not widely available as of the publication date. The vulnerability was disclosed publicly on December 22, 2023, and a patch was released shortly thereafter. There are no confirmed reports of active exploitation at this time.
Exploit Status
EPSS
0.15% (35% percentile)
CVSS Vector
The primary mitigation for CVE-2023-7076 is to upgrade MyAAC to version 0.8.14 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the bugtracker.php page to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to detect and block malicious XSS payloads targeting the vulnerable parameters. Review and harden the application's security configuration to minimize the attack surface. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the bug report form and verifying that it is properly neutralized.
Update MyAAC to version 0.8.14 or later. This version contains a fix for the XSS vulnerability. The update can be performed by downloading the new version from the official website or using a package management system if available.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-7076 is a cross-site scripting (XSS) vulnerability in MyAAC versions 0.8.0 through 0.8.13, allowing attackers to inject malicious scripts.
Yes, if you are running MyAAC versions 0.8.0 through 0.8.13, you are vulnerable to this XSS attack.
Upgrade MyAAC to version 0.8.14 or later to resolve the vulnerability. Input validation and output encoding can be temporary workarounds.
As of the publication date, there are no confirmed reports of active exploitation, but vigilance is still advised.
Refer to the MyAAC project's official website or security advisories for the latest information and updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.