Platform
php
Component
cves
Fixed in
1.0.1
CVE-2023-7135 is a problematic cross-site scripting (XSS) vulnerability discovered in Record Management System version 1.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and stealing sensitive information. The affected component is the 'offices.php' file within the 'main' directory, specifically the 'officename' parameter. A patch is available in version 1.0.1.
The primary impact of CVE-2023-7135 is the potential for cross-site scripting (XSS) attacks. An attacker can inject arbitrary JavaScript code into the Record Management System by manipulating the 'officename' parameter in the 'offices.php' file. This malicious script can then execute in the context of a user's browser, allowing the attacker to steal cookies, redirect users to phishing sites, or deface the application. The vulnerability is remotely exploitable, meaning an attacker does not need to be authenticated to exploit it. Given the public disclosure of this vulnerability, it is highly likely that attackers are actively scanning for and exploiting vulnerable instances.
This vulnerability has been publicly disclosed and a proof-of-concept (PoC) is likely available. The CVSS score of 2.4 indicates a LOW severity, but the ease of exploitation and potential impact on user data warrant immediate attention. The vulnerability is tracked by VDB-249138. Given the public disclosure, it is reasonable to assume that attackers are actively scanning for and exploiting vulnerable instances.
Exploit Status
EPSS
0.13% (33% percentile)
CVSS Vector
The recommended mitigation for CVE-2023-7135 is to immediately upgrade to version 1.0.1 of the Record Management System. This version contains a fix for the XSS vulnerability. If upgrading is not immediately possible, consider implementing input validation and output encoding on the 'officename' parameter in 'offices.php' to sanitize user input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'officename' parameter and verifying that the script does not execute.
Update to a patched version of the Record Management System. If no version is available, sanitize the input of the 'officename' parameter in the /main/offices.php file to prevent the execution of malicious JavaScript code. Escape or remove HTML and JavaScript tags before displaying the value on the page.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-7135 is a cross-site scripting (XSS) vulnerability in Record Management System version 1.0, allowing attackers to inject malicious scripts via the 'officename' parameter in 'offices.php.'
Yes, if you are using Record Management System version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'officename' parameter.
Given the public disclosure and low CVSS score, it is likely that attackers are actively scanning for and exploiting vulnerable instances.
Refer to VDB-249138 for details on this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.