Plateforme
php
Composant
vehicle-showroom-management-system
Corrigé dans
1.0.1
CVE-2026-6034 describes a cross-site scripting (XSS) vulnerability discovered in the Vehicle Showroom Management System. This flaw allows an attacker to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability affects versions 1.0.0 through 1.0. A public exploit is available, increasing the risk of immediate exploitation.
Successful exploitation of CVE-2026-6034 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information, such as session cookies, redirect users to malicious websites, or modify the content displayed on the Vehicle Showroom Management System. The impact is particularly severe if the application handles sensitive data like customer information or financial details. Given the availability of a public exploit, the blast radius is significant, potentially affecting all users of vulnerable installations.
CVE-2026-6034 has a public proof-of-concept available, indicating a high likelihood of exploitation. The vulnerability was disclosed on 2026-04-10. The availability of a public exploit significantly increases the risk of active campaigns targeting vulnerable installations. The CVSS score of 4.3 (Medium) reflects the potential impact and ease of exploitation.
Organizations utilizing the Vehicle Showroom Management System, particularly those with publicly accessible instances, are at risk. Shared hosting environments where multiple users share the same server instance are especially vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability.
• php / generic web:
curl -s -X POST "http://<target>/BranchManagement/ProfitAndLossReport.php?BRANCH_ID=<script>alert(1)</script>" | grep "<script>alert(1)</script>"• generic web:
curl -I http://<target>/BranchManagement/ProfitAndLossReport.php?BRANCH_ID=<script>alert(1)</script>• generic web:
grep -i "<script>" /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-6034 is to upgrade to a patched version of the Vehicle Showroom Management System. If upgrading is not immediately feasible, implement a Web Application Firewall (WAF) rule to filter out malicious input targeting the BRANCH_ID parameter in /BranchManagement/ProfitAndLossReport.php. Specifically, block any requests containing suspicious characters or patterns within this parameter. Additionally, carefully review and sanitize all user-supplied input before rendering it in the application to prevent future XSS vulnerabilities. After applying mitigations, test the ProfitAndLossReport.php endpoint with various payloads to confirm the vulnerability is no longer exploitable.
Mettez à jour le système Vehicle Showroom Management System à la dernière version disponible pour atténuer la vulnérabilité XSS (Cross Site Scripting). Vérifiez et nettoyez les entrées utilisateur, en particulier le paramètre BRANCH_ID, pour prévenir l'injection de code malveillant. Implémentez des mesures de codage de sortie pour échapper les données avant de les afficher sur la page.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-6034 is a cross-site scripting (XSS) vulnerability in Vehicle Showroom Management System versions 1.0.0–1.0, allowing attackers to inject malicious scripts.
If you are using Vehicle Showroom Management System versions 1.0.0–1.0 and have not upgraded, you are potentially affected by this XSS vulnerability.
Upgrade to a patched version of Vehicle Showroom Management System. As a temporary workaround, implement a WAF rule to filter malicious input targeting the BRANCH_ID parameter.
Due to the availability of a public proof-of-concept, CVE-2026-6034 is likely being actively exploited.
Please refer to the official Vehicle Showroom Management System website or security channels for the advisory related to CVE-2026-6034.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.