dragonexpert Recent Threads on Index Setting hooks.php recentthread_list_threads cross site scripting
traduction en cours…Plateforme
php
Composant
recentthreads
CVE-2019-25093 describes a problematic cross-site scripting (XSS) vulnerability discovered in the Recent Threads on Index component of Dragonexpert. This vulnerability allows attackers to inject malicious scripts through manipulation of the recentthread_forumskip argument. The vulnerability affects versions prior to patch 051465d807a8fcc6a8b0f4bcbb19299672399f48, and a patch is available to resolve the issue.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of CVE-2019-25093 allows an attacker to inject arbitrary JavaScript code into the web page viewed by other users. This can lead to various malicious actions, including session hijacking, defacement of the website, and redirection to phishing sites. The attacker could potentially steal sensitive user data, such as cookies and authentication tokens, or compromise the entire system if the user has elevated privileges. The impact is particularly severe if the affected component is used in a high-traffic area of the website, as a single successful injection could affect a large number of users.
Contexte d'Exploitationtraduction en cours…
CVE-2019-25093 was disclosed in 2019 and published to the NVD on January 2, 2023. There are no known active campaigns targeting this specific vulnerability. Public proof-of-concept exploits are not widely available, suggesting a relatively low exploitation probability. The vulnerability's CVSS score of 2.4 (LOW) further supports this assessment.
Qui Est à Risquetraduction en cours…
Websites utilizing the Dragonexpert Recent Threads on Index plugin and running versions prior to the patched version are at risk. Shared hosting environments where multiple websites share the same server and plugin installation are particularly vulnerable, as a compromise of one website could potentially affect others.
Étapes de Détectiontraduction en cours…
• php / web:
grep -r 'recentthread_forumskip' /var/www/html/inc/plugins/recentthreads/hooks.php• generic web:
curl -I http://your-website.com/inc/plugins/recentthreads/hooks.php?recentthread_forumskip=<script>alert(1)</script>Chronologie de l'Attaque
- Discovery
discovery
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.34% (percentile 56%)
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Élevé — un compte administrateur ou privilégié est requis.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Aucun — aucun impact sur la confidentialité.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2019-25093 is to apply the provided patch: 051465d807a8fcc6a8b0f4bcbb19299672399f48. Before applying the patch, it's recommended to back up the inc/plugins/recentthreads/hooks.php file. If applying the patch directly is not feasible, consider implementing input validation and sanitization on the recentthreadforumskip parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. After applying the patch, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the recentthreadforumskip parameter and verifying that it is not executed.
Comment corrigertraduction en cours…
Actualice el plugin Recent Threads on Index a la última versión disponible. La vulnerabilidad ha sido parcheada en la versión posterior al commit 051465d807a8fcc6a8b0f4bcbb19299672399f48. Consulte el registro de cambios del plugin para obtener más detalles sobre la actualización.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2019-25093 — XSS in Dragonexpert Recent Threads on Index?
CVE-2019-25093 is a cross-site scripting (XSS) vulnerability in the Dragonexpert Recent Threads on Index plugin, allowing attackers to inject malicious scripts via the recentthread_forumskip parameter.
Am I affected by CVE-2019-25093 in Dragonexpert Recent Threads on Index?
You are affected if you are using Dragonexpert Recent Threads on Index prior to version 051465d807a8fcc6a8b0f4bcbb19299672399f48.
How do I fix CVE-2019-25093 in Dragonexpert Recent Threads on Index?
Apply the patch 051465d807a8fcc6a8b0f4bcbb19299672399f48. Back up the hooks.php file before applying.
Is CVE-2019-25093 being actively exploited?
There are no known active campaigns targeting CVE-2019-25093 at this time, but it remains a potential risk.
Where can I find the official Dragonexpert advisory for CVE-2019-25093?
Refer to the VDB entry (VDB-217182) for more information and potential links to the Dragonexpert advisory.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.