1.0.1
CVE-2023-7149 is a cross-site scripting (XSS) vulnerability affecting versions 1.0 through 1.0 of the QR Code Generator. An attacker can exploit this flaw by manipulating the 'file' parameter in the /download.php?file=author.png endpoint, potentially leading to the execution of arbitrary JavaScript code in a victim's browser. A fix is available in version 1.0.1, and the vulnerability details have been publicly disclosed.
Successful exploitation of CVE-2023-7149 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive information like cookies and credentials. The vulnerability resides in the file download functionality, specifically the handling of the 'file' parameter. The attacker can craft a malicious URL containing a payload that, when accessed, executes the injected script. The impact is amplified if the QR Code Generator is integrated into a larger application or used to generate codes for sensitive data, as the attacker could potentially compromise the entire system.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. No known active campaigns targeting this specific vulnerability have been reported, but the availability of public information makes it a potential target for opportunistic attackers. The identifier VDB-249153 has been assigned to this vulnerability. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.13% (32% percentile)
CVSS Vector
The primary mitigation for CVE-2023-7149 is to upgrade to version 1.0.1 of the QR Code Generator. This version includes a fix that addresses the vulnerable parameter handling. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'file' parameter to prevent the injection of malicious code. Additionally, implement a Web Application Firewall (WAF) with rules to detect and block requests containing suspicious characters or patterns in the 'file' parameter. Regularly review and update the QR Code Generator's codebase to identify and address potential vulnerabilities. After upgrading, confirm the fix by attempting to access the vulnerable endpoint with a malicious payload and verifying that the script is not executed.
Update to a patched version or disable/remove the vulnerable component. Validate and sanitize user inputs, especially the 'file' parameter in the script '/download.php', to prevent malicious code injection. Implement a content security policy (CSP) to mitigate XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-7149 is a cross-site scripting (XSS) vulnerability in QR Code Generator versions 1.0 through 1.0, allowing attackers to inject malicious scripts via the 'file' parameter in the download endpoint.
You are affected if you are using QR Code Generator versions 1.0 through 1.0 and have not upgraded to version 1.0.1.
Upgrade to version 1.0.1 of QR Code Generator. As a temporary workaround, implement input validation and sanitization on the 'file' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the VDB entry (VDB-249153) for details and potentially vendor advisories if available.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.