Plateforme
php
Composant
vulndis
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester User Registration and Login System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the /endpoint/delete-user.php file and is addressed in version 1.0.1.
Successful exploitation of CVE-2023-6462 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious activities, including session hijacking, credential theft, and defacement of the application. The attacker could potentially steal sensitive user data, such as usernames, passwords, and personal information. Given the nature of XSS, the impact can range from minor annoyance to complete compromise of the application and its users, depending on the attacker's goals and the privileges of the affected user.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW, suggesting that exploitation may require specific conditions or user interaction. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Organizations utilizing SourceCodester User Registration and Login System in their applications, particularly those with user-facing features and sensitive data, are at risk. Shared hosting environments where multiple users share the same server instance are especially vulnerable, as a compromised user account could potentially impact other users on the same server.
• php / web:
curl -I 'http://your-website.com/endpoint/delete-user.php?user=<script>alert(1)</script>' | grep -i 'content-type'• generic web:
curl -s 'http://your-website.com/endpoint/delete-user.php?user=<script>alert(1)</script>' | grep 'alert(1)'disclosure
patch
Statut de l'Exploit
EPSS
0.08% (percentile 24%)
Vecteur CVSS
The primary mitigation for CVE-2023-6462 is to upgrade to version 1.0.1 of the SourceCodester User Registration and Login System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /endpoint/delete-user.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies and procedures to prevent similar vulnerabilities from arising in the future. After upgrade, confirm functionality by attempting to delete a user account and verifying that no malicious scripts are executed.
Actualizar a una versión parcheada o aplicar la corrección proporcionada por el proveedor. Validar y limpiar las entradas del usuario en el script `delete-user.php` para evitar la inyección de código XSS. Escapar la salida HTML para prevenir la ejecución de scripts maliciosos.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2023-6462 is a cross-site scripting (XSS) vulnerability affecting SourceCodester User Registration and Login System versions 1.0-1.0, allowing attackers to inject malicious scripts.
You are affected if you are using SourceCodester User Registration and Login System versions 1.0 through 1.0. Upgrade to 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 of SourceCodester User Registration and Login System. Input validation and output encoding can provide temporary protection.
While publicly disclosed, there are no confirmed reports of active exploitation at this time. Monitor security advisories for updates.
Refer to the SourceCodester website and security advisories for the latest information regarding CVE-2023-6462 and available patches.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.