プラットフォーム
php
修正版
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in code-projects Online Reviewer System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides in the /system/system/admins/manage/users/btn_functions.php file, specifically through manipulation of the 'firstname' argument. A fix is pending, and mitigation strategies are crucial.
Successful exploitation of CVE-2026-2224 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online Reviewer System. This can lead to various malicious actions, including session hijacking, phishing attacks, and defacement of the application. An attacker could steal sensitive user data, such as login credentials or personal information, and potentially gain unauthorized access to administrative functions. The public availability of the exploit significantly increases the risk of widespread exploitation.
The exploit for CVE-2026-2224 is publicly available, indicating a high probability of exploitation. The vulnerability has been added to the NVD database on 2026-02-09. Given the ease of exploitation and public availability, organizations using Online Reviewer System 1.0 should prioritize implementing mitigation strategies immediately.
Organizations utilizing the Online Reviewer System 1.0, particularly those with publicly accessible admin interfaces, are at significant risk. Shared hosting environments where multiple users share the same server resources are especially vulnerable, as a compromise of one user could potentially impact others.
• php / web:
grep -r 'firstname = $_POST' /var/www/html/• generic web:
curl -I <target_url>/system/system/admins/manage/users/btn_functions.php?firstname=<script>alert(1)</script>• generic web:
grep -r 'firstname = $_POST' /var/log/apache2/access.logdisclosure
エクスプロイト状況
EPSS
0.03% (8% パーセンタイル)
CISA SSVC
CVSS ベクトル
While a patch is not yet available, several mitigation steps can be implemented to reduce the risk of exploitation. Input sanitization is paramount; rigorously validate and sanitize all user-supplied data, particularly the 'firstname' parameter in /system/system/admins/manage/users/btn_functions.php. Implementing a Web Application Firewall (WAF) with XSS protection rules can also effectively block malicious requests. Consider using a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Regularly review and update the application's codebase to identify and address potential vulnerabilities.
Online Reviewer System を 1.0 以降のバージョンにアップデートしてください。もし存在すれば、btn_functions.php ファイルにおけるクロスサイトスクリプティング (XSS) 脆弱性を修正しているバージョンにアップデートしてください。代替案として、ユーザーからの入力、特に 'firstname' 引数をサニタイズして、悪意のあるコードの注入を防ぐ必要があります。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-2224 is a cross-site scripting (XSS) vulnerability in Online Reviewer System 1.0, allowing attackers to inject malicious scripts via the firstname parameter. It's rated as LOW severity.
If you are using Online Reviewer System version 1.0, you are potentially affected. Immediate mitigation steps are recommended until a patch is released.
A patch is not yet available. Mitigate by implementing input sanitization, WAF rules, and a Content Security Policy (CSP).
The exploit is publicly available, suggesting a high probability of active exploitation. Organizations should act quickly to mitigate the risk.
Refer to the NVD entry for CVE-2026-2224 for the latest information and any official advisories from code-projects.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。