Plateforme
php
Composant
-cve
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Interview Management System versions 1.0 through 1.0. This flaw resides within the /editQuestion.php file, allowing attackers to inject malicious scripts by manipulating the 'Question' argument. Successful exploitation could lead to session hijacking or defacement. A fix is available in version 1.0.1.
The XSS vulnerability in Interview Management System allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they access a crafted URL. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application's interface. The remote nature of the vulnerability means an attacker doesn't need to be authenticated to exploit it, significantly expanding the potential attack surface. Given the public availability of an exploit, immediate action is crucial to prevent widespread compromise.
A public proof-of-concept exploit for CVE-2025-13343 is available, indicating a high likelihood of exploitation. The vulnerability has been added to the NVD database on 2025-11-18. The LOW CVSS score reflects the limited impact and relatively simple exploitation process, but the public exploit availability elevates the risk significantly. No known active campaigns targeting this vulnerability have been reported at this time.
Organizations utilizing SourceCodester Interview Management System, particularly those with publicly accessible instances or those lacking robust input validation practices, are at significant risk. Shared hosting environments where multiple users share the same server are also particularly vulnerable, as a compromise of one user's account could potentially impact others.
• php / web:
curl -I 'http://your-interview-system/editQuestion.php?Question=<script>alert(1)</script>' | grep -i 'content-type'• generic web:
curl -s 'http://your-interview-system/editQuestion.php?Question=<script>alert(1)</script>' | grep 'alert(1)'disclosure
poc
Statut de l'Exploit
EPSS
0.05% (percentile 15%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-13343 is to immediately upgrade to version 1.0.1 of SourceCodester Interview Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'Question' parameter within the /editQuestion.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor application logs for suspicious activity, particularly requests to /editQuestion.php with unusual parameters. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the 'Question' parameter and verifying it is properly sanitized.
Actualice a una versión parcheada o aplique el parche proporcionado por el proveedor. Desinfecte las entradas del usuario, especialmente el parámetro 'Question' en el archivo 'editQuestion.php', para evitar la inyección de código malicioso. Implemente validación y codificación de salida para mitigar el riesgo de XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-13343 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Interview Management System versions 1.0–1.0, allowing attackers to inject malicious scripts via the /editQuestion.php file.
You are affected if you are using SourceCodester Interview Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'Question' parameter.
A public proof-of-concept exploit is available, indicating a high likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2025-13343.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.