प्लेटफ़ॉर्म
php
घटक
cve_hub
में ठीक किया गया
1.0.1
CVE-2023-5694 describes a cross-site scripting (XSS) vulnerability discovered in CodeAstro Internet Banking System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the system, potentially compromising user accounts and sensitive data. A patch is available in version 1.0.1, addressing this issue.
The XSS vulnerability in CodeAstro Internet Banking System allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be exploited to steal session cookies, redirect users to malicious websites, or deface the banking system's interface. Successful exploitation could lead to unauthorized access to user accounts, financial fraud, and reputational damage for the banking institution. The remote nature of the vulnerability means attackers don't need local access to exploit it.
This vulnerability has been publicly disclosed and a proof-of-concept exploit may be available. While the CVSS score is LOW, the potential impact on a financial institution makes it a significant concern. The vulnerability is not currently listed on CISA KEV as of this writing. Public exploit details are available via VDB-243132.
Financial institutions using CodeAstro Internet Banking System version 1.0 are directly at risk. Shared hosting environments where multiple banking systems are deployed on the same server could also be affected, as a vulnerability in one system could potentially compromise others. Organizations relying on legacy configurations or custom modifications of the CodeAstro system may be particularly vulnerable.
• generic web: Use curl or wget to test the pagessystemsettings.php endpoint with a simple XSS payload (e.g., <script>alert(1)</script>) in the sys_name parameter. Check the response for the presence of the alert box.
curl 'http://your-internet-banking-system/pages_system_settings.php?sys_name=<script>alert(1)</script>' • php: Examine the pagessystemsettings.php file for inadequate input validation or output encoding of the sysname parameter. Search for patterns like echo $GET['sys_name'] without proper sanitization.
disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.07% (22% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2023-5694 is to upgrade to CodeAstro Internet Banking System version 1.0.1 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the sysname parameter within pagessystemsettings.php. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the sysname parameter and verifying that the script does not execute.
Actualizar a una versión parcheada del sistema Internet Banking System, si está disponible. De lo contrario, sanitizar la entrada del parámetro 'sys_name' en el archivo 'pages_system_settings.php' para evitar la ejecución de código JavaScript malicioso. Implementar validación y codificación de salida para prevenir ataques XSS.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2023-5694 is a cross-site scripting (XSS) vulnerability in CodeAstro Internet Banking System versions 1.0–1.0, allowing attackers to inject malicious scripts.
If you are using CodeAstro Internet Banking System version 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 or later.
Upgrade to CodeAstro Internet Banking System version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround.
The vulnerability has been publicly disclosed, and a proof-of-concept exploit may be available, suggesting potential for active exploitation.
Refer to CodeAstro's official website or security advisories for the latest information and updates regarding CVE-2023-5694.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।