Plateforme
php
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been discovered in code-projects Online Reviewer System version 1.0. This flaw allows a remote attacker to inject malicious scripts by manipulating the 'firstname' parameter within the /system/system/admins/manage/users/btn_functions.php file. Successful exploitation could lead to session hijacking or defacement of the application. A fix is available; upgrading to a patched version is the recommended remediation.
The XSS vulnerability in Online Reviewer System 1.0 allows an attacker to inject arbitrary JavaScript code into the application. This code will then be executed in the context of any user who views the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is particularly severe if the application handles sensitive user data or is integrated with other systems. While the CVSS score is LOW, the potential for user compromise remains significant, especially in environments with limited security controls.
A public proof-of-concept (PoC) for this vulnerability has been released, indicating a relatively high likelihood of exploitation. The vulnerability is not currently listed on CISA KEV. Given the availability of a PoC and the ease of exploitation, organizations using Online Reviewer System 1.0 should prioritize patching.
Organizations using Online Reviewer System 1.0, particularly those with publicly accessible instances or those that handle sensitive user data, are at risk. Shared hosting environments where multiple users share the same server and application instance are also at increased risk, as a compromise of one user could potentially impact others.
• php / generic web:
grep -r 'firstname = $_POST' /system/system/admins/manage/users/btn_functions.php• generic web:
curl -I http://your-server.com/system/system/admins/manage/users/btn_functions.php?firstname=<script>alert(1)</script>disclosure
poc
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-2222 is to upgrade to a patched version of Online Reviewer System. If upgrading immediately is not possible, consider implementing input validation and output encoding on the 'firstname' parameter in /system/system/admins/manage/users/btn_functions.php. This can help prevent malicious scripts from being injected. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Regularly review and update security policies and procedures to minimize the risk of XSS vulnerabilities.
Mettre à jour vers une version corrigée du système Online Reviewer System. Contactez le fournisseur pour obtenir une version corrigée ou appliquez les mesures de sécurité nécessaires pour éviter l'injection de code XSS dans le champ 'firstname'.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-2222 is a cross-site scripting (XSS) vulnerability in Online Reviewer System 1.0 that allows remote attackers to inject malicious scripts by manipulating the 'firstname' parameter.
If you are using Online Reviewer System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of Online Reviewer System. As a temporary workaround, implement input validation and output encoding.
A public proof-of-concept exists, suggesting a high probability of active exploitation. Organizations should prioritize patching.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2026-2222.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.