Plateforme
php
Composant
engineers-online-portal
Corrigé dans
1.0.1
CVE-2023-7160 is a cross-site scripting (XSS) vulnerability discovered in SourceCodester Engineers Online Portal versions 1.0. This flaw allows an attacker to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability impacts the Add Engineer Handler functionality and affects versions 1.0. A patch is available in version 1.0.1.
An attacker can exploit this XSS vulnerability by injecting malicious JavaScript code into the first name or last name fields of the Add Engineer Handler. When a user views the page containing the injected script, the script will execute in their browser context. This can allow the attacker to steal session cookies, redirect the user to a malicious website, or modify the content of the page. The potential impact extends to any user who interacts with the vulnerable functionality, making it a significant risk, especially in environments where sensitive data is handled.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The exploit is relatively straightforward, making it likely that attackers will attempt to exploit it. The vulnerability was published on 2023-12-29. It is not currently listed on CISA KEV.
Organizations using Engineers Online Portal version 1.0, particularly those with limited security controls or those handling sensitive user data, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially impact others.
• php / web:
grep -r '<script>' /var/www/html/engineers_online_portal/• generic web:
curl -I http://your-portal-url.com/add_engineer.php | grep -i content-typedisclosure
patch
Statut de l'Exploit
EPSS
0.10% (percentile 26%)
Vecteur CVSS
The primary mitigation for CVE-2023-7160 is to upgrade to version 1.0.1 of Engineers Online Portal. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Add Engineer Handler to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies to address potential XSS vulnerabilities.
Actualizar a una versión parcheada del software. Validar y limpiar las entradas de los campos 'first name' y 'last name' para evitar la inyección de código malicioso. Implementar una política de seguridad de contenido (CSP) para mitigar los ataques XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2023-7160 is a cross-site scripting (XSS) vulnerability affecting Engineers Online Portal version 1.0, allowing attackers to inject malicious scripts via the Add Engineer Handler.
If you are using Engineers Online Portal version 1.0, you are potentially affected. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the Add Engineer Handler.
While active exploitation is not confirmed, the vulnerability has been publicly disclosed and a proof-of-concept may be available, increasing the likelihood of exploitation.
Refer to the SourceCodester website or relevant security advisories for the official advisory regarding CVE-2023-7160.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.