Platform
php
Component
cve_hub
Opgelost in
1.0.1
CVE-2023-5696 is a cross-site scripting (XSS) vulnerability affecting CodeAstro Internet Banking System versions 1.0 through 1.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially stealing user credentials or performing unauthorized actions. A fix is available in version 1.0.1, and users are strongly encouraged to upgrade immediately.
The XSS vulnerability in CodeAstro Internet Banking System allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal sensitive user data, such as login credentials, financial information, and personal details. An attacker could also use this vulnerability to redirect users to malicious websites, deface the application, or launch further attacks against the system. The impact is particularly severe given the sensitive nature of internet banking applications and the potential for financial loss.
This vulnerability has been publicly disclosed, and a proof-of-concept exploit is available. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation in a standard environment. It was published on 2023-10-22. Active exploitation is possible given the public availability of the exploit.
Organizations and individuals using CodeAstro Internet Banking System version 1.0 are at risk. This includes financial institutions, online banking customers, and anyone who relies on this system for financial transactions. Shared hosting environments using this system are particularly vulnerable due to the potential for cross-tenant exploitation.
• php: Examine pagestransfermoney.php for inadequate input sanitization of the account_number parameter. Search for instances of echo or print statements directly outputting user-supplied data without proper encoding.
// Example of vulnerable code
echo $_GET['account_number'];• generic web: Monitor access logs for requests to pagestransfermoney.php containing suspicious characters or patterns in the account_number parameter, such as <script> or alert().
grep 'account_number=[^a-zA-Z0-9]' access.logdisclosure
poc
Exploit Status
EPSS
0.09% (26% percentiel)
CVSS-vector
The primary mitigation for CVE-2023-5696 is to upgrade to CodeAstro Internet Banking System version 1.0.1 or later. If upgrading is not immediately possible, consider implementing input validation and output encoding on the accountnumber parameter in pagestransfer_money.php. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Regularly review and update security policies and procedures to prevent similar vulnerabilities in the future.
Actualizar a una versión parcheada del sistema Internet Banking System. Si no hay una versión disponible, sanitizar la entrada del parámetro `account_number` en el archivo `pages_transfer_money.php` para evitar la inyección de código JavaScript. Utilizar funciones de escape específicas para XSS al mostrar datos en la página.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2023-5696 is a cross-site scripting (XSS) vulnerability in CodeAstro Internet Banking System versions 1.0-1.0, allowing attackers to inject malicious scripts.
Yes, if you are using CodeAstro Internet Banking System version 1.0, you are affected by this vulnerability.
Upgrade to CodeAstro Internet Banking System version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround.
The vulnerability has been publicly disclosed and a proof-of-concept exploit is available, indicating a potential for active exploitation.
Refer to the CodeAstro website or security advisories for the official advisory regarding CVE-2023-5696.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.