Plateforme
php
Composant
online-quiz-system
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Quiz System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts by manipulating the quiztaker/yearsection parameter within the take-quiz.php file. The vulnerability is remotely exploitable and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of CVE-2023-6473 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online Quiz System. This could lead to session hijacking, credential theft, defacement of the quiz interface, or redirection to malicious websites. The attacker could potentially gain access to sensitive user data, such as quiz answers or personal information stored within the system. The impact is amplified if the quiz system is used in a sensitive environment, such as an educational institution or a corporate training program.
This vulnerability has been publicly disclosed and is tracked by VDB-246639. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. Public proof-of-concept exploits may become available, increasing the risk of widespread exploitation. No active campaigns have been reported at the time of this writing, but monitoring is recommended.
Organizations and individuals using SourceCodester Online Quiz System versions 1.0 through 1.0 are at risk. This includes educational institutions, training providers, and any entity utilizing the system for online quizzes or assessments. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially compromise other users' accounts.
• php / web:
curl -I 'http://your-quiz-system.com/take-quiz.php?quiz_taker/year_section=<script>alert(1)</script>' | grep HTTP/1.1• generic web:
grep -i 'quiz_taker/year_section=' /var/log/apache2/access.logdisclosure
patch
Statut de l'Exploit
EPSS
0.08% (percentile 24%)
Vecteur CVSS
The primary mitigation for CVE-2023-6473 is to upgrade to version 1.0.1 of the Online Quiz System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the quiztaker/yearsection parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS attacks can provide an additional layer of protection. Regularly review and update the Online Quiz System to ensure you are running the latest version with the latest security patches.
Actualizar a una versión parcheada o aplicar una solución que filtre y escape correctamente las entradas de usuario en el archivo `take-quiz.php`, especialmente los parámetros `quiz_taker` y `year_section`. Validar y limpiar las entradas antes de usarlas en la salida HTML para prevenir la inyección de código malicioso. Si no hay una versión parcheada disponible, considere deshabilitar o eliminar la funcionalidad vulnerable.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2023-6473 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Quiz System versions 1.0–1.0, allowing attackers to inject malicious scripts via the quiztaker/yearsection parameter.
You are affected if you are using SourceCodester Online Quiz System versions 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 of the Online Quiz System. As a temporary workaround, implement input validation and sanitization on the quiztaker/yearsection parameter.
While no active campaigns have been reported, the vulnerability is publicly disclosed and potentially exploitable, so monitoring is recommended.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2023-6473.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.