) allow","url":"https://nextguardhq.com/en/vulnerabilities/cve-2023-7160-sourcecodester-engineers-online-portal","inLanguage":"en","datePublished":"2023-12-29","dateModified":"2025-04-17","author":{"@type":"Organization","name":"NextGuard","url":"https://nextguardhq.com"},"publisher":{"@type":"Organization","name":"NextGuard","url":"https://nextguardhq.com","logo":{"@type":"ImageObject","url":"https://nextguardhq.com/og-image.png"}},"identifier":"CVE-2023-7160","keywords":"CVE-2023-7160, LOW, php, engineers-online-portal, SourceCodester, CVSS-2.4","about":{"@type":"SoftwareApplication","name":"engineers-online-portal","applicationCategory":"SourceCodester","softwareVersion":"1.0.1"}}

LOWCVE-2023-7160CVSS 2.4

CVE-2023-7160: XSS in Engineers Online Portal 1.0

Platform

php

Component

engineers-online-portal

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2023-7160 is a cross-site scripting (XSS) vulnerability discovered in SourceCodester Engineers Online Portal versions 1.0. This flaw allows an attacker to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability impacts the Add Engineer Handler functionality and affects versions 1.0. A patch is available in version 1.0.1.

Impact and Attack Scenarios

An attacker can exploit this XSS vulnerability by injecting malicious JavaScript code into the first name or last name fields of the Add Engineer Handler. When a user views the page containing the injected script, the script will execute in their browser context. This can allow the attacker to steal session cookies, redirect the user to a malicious website, or modify the content of the page. The potential impact extends to any user who interacts with the vulnerable functionality, making it a significant risk, especially in environments where sensitive data is handled.

Exploitation Context

This vulnerability has been publicly disclosed and a proof-of-concept may be available. The exploit is relatively straightforward, making it likely that attackers will attempt to exploit it. The vulnerability was published on 2023-12-29. It is not currently listed on CISA KEV.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.10% (26% percentile)

CVSS Vector

Affected Software

Componentengineers-online-portal

VendorSourceCodester

Affected rangeFixed in

1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2023-12-28
Published2023-12-29
Modified2025-04-17
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2023-7160 is to upgrade to version 1.0.1 of Engineers Online Portal. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Add Engineer Handler to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies to address potential XSS vulnerabilities.

How to fix

Update to a patched version of the software. Validate and sanitize the inputs of the 'first name' and 'last name' fields to prevent the injection of malicious code. Implement a content security policy (CSP) to mitigate XSS attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2023-7160 — XSS in Engineers Online Portal 1.0?

CVE-2023-7160 is a cross-site scripting (XSS) vulnerability affecting Engineers Online Portal version 1.0, allowing attackers to inject malicious scripts via the Add Engineer Handler.

Am I affected by CVE-2023-7160 in Engineers Online Portal 1.0?

If you are using Engineers Online Portal version 1.0, you are potentially affected. Upgrade to version 1.0.1 to mitigate the risk.

How do I fix CVE-2023-7160 in Engineers Online Portal 1.0?

Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the Add Engineer Handler.

Is CVE-2023-7160 being actively exploited?

While active exploitation is not confirmed, the vulnerability has been publicly disclosed and a proof-of-concept may be available, increasing the likelihood of exploitation.

Where can I find the official Engineers Online Portal advisory for CVE-2023-7160?

Refer to the SourceCodester website or relevant security advisories for the official advisory regarding CVE-2023-7160.

NextGuard

Vulnerabilities

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: High — admin or privileged account required to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs