プラットフォーム
php
修正版
1.0.1
A cross-site scripting (XSS) vulnerability has been discovered in code-projects Online Reviewer System version 1.0. This flaw allows a remote attacker to inject malicious scripts by manipulating the 'firstname' parameter within the /system/system/admins/manage/users/btn_functions.php file. Successful exploitation could lead to session hijacking or defacement of the application. A fix is available; upgrading to a patched version is the recommended remediation.
The XSS vulnerability in Online Reviewer System 1.0 allows an attacker to inject arbitrary JavaScript code into the application. This code will then be executed in the context of any user who views the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is particularly severe if the application handles sensitive user data or is integrated with other systems. While the CVSS score is LOW, the potential for user compromise remains significant, especially in environments with limited security controls.
A public proof-of-concept (PoC) for this vulnerability has been released, indicating a relatively high likelihood of exploitation. The vulnerability is not currently listed on CISA KEV. Given the availability of a PoC and the ease of exploitation, organizations using Online Reviewer System 1.0 should prioritize patching.
Organizations using Online Reviewer System 1.0, particularly those with publicly accessible instances or those that handle sensitive user data, are at risk. Shared hosting environments where multiple users share the same server and application instance are also at increased risk, as a compromise of one user could potentially impact others.
• php / generic web:
grep -r 'firstname = $_POST' /system/system/admins/manage/users/btn_functions.php• generic web:
curl -I http://your-server.com/system/system/admins/manage/users/btn_functions.php?firstname=<script>alert(1)</script>disclosure
poc
エクスプロイト状況
EPSS
0.03% (10% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-2222 is to upgrade to a patched version of Online Reviewer System. If upgrading immediately is not possible, consider implementing input validation and output encoding on the 'firstname' parameter in /system/system/admins/manage/users/btn_functions.php. This can help prevent malicious scripts from being injected. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Regularly review and update security policies and procedures to minimize the risk of XSS vulnerabilities.
Online Reviewer Systemのパッチバージョンにアップデートしてください。修正されたバージョンを入手するためにベンダーに連絡するか、firstnameフィールドへのXSSコードインジェクションを回避するために必要なセキュリティ対策を講じてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-2222 is a cross-site scripting (XSS) vulnerability in Online Reviewer System 1.0 that allows remote attackers to inject malicious scripts by manipulating the 'firstname' parameter.
If you are using Online Reviewer System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of Online Reviewer System. As a temporary workaround, implement input validation and output encoding.
A public proof-of-concept exists, suggesting a high probability of active exploitation. Organizations should prioritize patching.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2026-2222.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。