SourceCodester Online Motorcycle Rental System Bike List cross site scripting
अनुवाद हो रहा है…प्लेटफ़ॉर्म
php
घटक
online-motorcycle-rental-system
में ठीक किया गया
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Motorcycle Rental System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides in the /admin/?page=bike file, specifically within the handling of the Model parameter. A patch is available in version 1.0.1.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
Successful exploitation of CVE-2023-5585 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as session cookies, which can then be used to impersonate the user and gain unauthorized access to the administrative panel. An attacker could also deface the website or redirect users to malicious sites. The impact is particularly severe for administrators, as their accounts could be compromised, granting the attacker full control over the motorcycle rental system.
शोषण संदर्भअनुवाद हो रहा है…
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is 2.4 (LOW), indicating a limited impact. It is not currently listed on CISA KEV. The vulnerability's location within the administrative interface suggests that exploitation would likely require an attacker to have some level of access to the system, or be able to trick an administrator into clicking a malicious link.
कौन जोखिम में हैअनुवाद हो रहा है…
Administrators of Online Motorcycle Rental System installations running versions 1.0–1.0 are at the highest risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromise of one user's account could potentially lead to the compromise of others.
पहचान के चरणअनुवाद हो रहा है…
• generic web: Use curl or wget to access /admin/?page=bike and inspect the response for signs of injected script tags.
curl -s -X POST /admin/?page=bike -d 'Model=<script>alert("XSS")</script>' | grep -i alert• php: Examine the source code of /admin/?page=bike for inadequate input validation or output encoding of the Model parameter. Search for functions like htmlspecialchars or strip_tags that are not being used correctly.
• generic web: Monitor access logs for unusual requests to /admin/?page=bike with suspicious parameters in the Model field.
हमले की समयरेखा
- Disclosure
disclosure
- Patch
patch
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.04% (14% शतमक)
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- उच्च — व्यवस्थापक या विशेषाधिकार प्राप्त खाते की आवश्यकता।
- User Interaction
- आवश्यक — पीड़ित को फ़ाइल खोलनी, लिंक पर क्लिक करना या पेज पर जाना होगा।
- Scope
- अपरिवर्तित — प्रभाव केवल कमज़ोर घटक तक सीमित।
- Confidentiality
- कोई नहीं — गोपनीयता पर कोई प्रभाव नहीं।
- Integrity
- निम्न — हमलावर सीमित दायरे में कुछ डेटा बदल सकता है।
- Availability
- कोई नहीं — उपलब्धता पर कोई प्रभाव नहीं।
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2023-5585 is to upgrade to version 1.0.1 of the Online Motorcycle Rental System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Model parameter in the /admin/?page=bike file. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script (e.g., <script>alert('XSS')</script>) in the Model parameter and verifying that the script does not execute.
कैसे ठीक करेंअनुवाद हो रहा है…
Actualice el sistema Online Motorcycle Rental System a una versión parcheada o aplique las medidas de seguridad necesarias para evitar la inyección de código malicioso en el campo 'Model'. Valide y escape las entradas del usuario para prevenir ataques XSS.
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2023-5585 — XSS in Online Motorcycle Rental System?
CVE-2023-5585 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Motorcycle Rental System versions 1.0–1.0, allowing attackers to inject malicious scripts.
Am I affected by CVE-2023-5585 in Online Motorcycle Rental System?
You are affected if you are running SourceCodester Online Motorcycle Rental System version 1.0 or 1.0. Check your version and upgrade immediately.
How do I fix CVE-2023-5585 in Online Motorcycle Rental System?
Upgrade to version 1.0.1. If upgrading is not possible, implement input validation and output encoding on the Model parameter.
Is CVE-2023-5585 being actively exploited?
While exploitation is possible due to public disclosure, there are no confirmed reports of active exploitation at this time.
Where can I find the official Online Motorcycle Rental System advisory for CVE-2023-5585?
Refer to the SourceCodester website or their official communication channels for the advisory regarding CVE-2023-5585.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।