Platform
php
Component
myaac
Opgelost in
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11
0.8.12
0.8.13
0.8.14
CVE-2023-7076 is a cross-site scripting (XSS) vulnerability affecting MyAAC versions 0.8.0 through 0.8.13. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides in the file system/pages/bugtracker.php and is triggered by manipulating specific parameters. An upgrade to version 0.8.14 is available to address this issue.
Successful exploitation of CVE-2023-7076 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious outcomes, including stealing user credentials, redirecting users to phishing sites, or modifying the content of the web page. The impact is amplified if the application handles sensitive data or is integrated with other systems. An attacker could potentially gain access to user accounts and perform actions on their behalf, leading to data breaches and reputational damage. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant immediate attention.
CVE-2023-7076 is not currently listed on KEV. The EPSS score is likely low given the CVSS score and the availability of a straightforward patch. Public proof-of-concept (PoC) code is not widely available as of the publication date. The vulnerability was disclosed publicly on December 22, 2023, and a patch was released shortly thereafter. There are no confirmed reports of active exploitation at this time.
Organizations using MyAAC for bug tracking or issue reporting are at risk. Specifically, deployments running versions 0.8.0 through 0.8.13 are vulnerable. Shared hosting environments where MyAAC is installed alongside other applications may also be affected, as a successful XSS attack could potentially compromise other tenants on the same server.
• generic web: Use curl to test the bug report form endpoint with a simple XSS payload (e.g., curl 'http://your-myaac-instance/pages/bugtracker.php?bug[2][subject]=<script>alert(1)</script>'). Inspect the response for the presence of the alert box.
• generic web: Examine access and error logs for suspicious requests containing XSS payloads targeting the bug[2][subject], bug[2][text], or report[subject] parameters.
• php: Review the source code of pages/bugtracker.php for inadequate input validation or output encoding of these parameters.
disclosure
patch
Exploit Status
EPSS
0.15% (35% percentiel)
CVSS-vector
The primary mitigation for CVE-2023-7076 is to upgrade MyAAC to version 0.8.14 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the bugtracker.php page to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to detect and block malicious XSS payloads targeting the vulnerable parameters. Review and harden the application's security configuration to minimize the attack surface. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the bug report form and verifying that it is properly neutralized.
Actualice MyAAC a la versión 0.8.14 o posterior. Esta versión contiene una corrección para la vulnerabilidad XSS. La actualización se puede realizar descargando la nueva versión desde el sitio web oficial o utilizando un sistema de gestión de paquetes si está disponible.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2023-7076 is a cross-site scripting (XSS) vulnerability in MyAAC versions 0.8.0 through 0.8.13, allowing attackers to inject malicious scripts.
Yes, if you are running MyAAC versions 0.8.0 through 0.8.13, you are vulnerable to this XSS attack.
Upgrade MyAAC to version 0.8.14 or later to resolve the vulnerability. Input validation and output encoding can be temporary workarounds.
As of the publication date, there are no confirmed reports of active exploitation, but vigilance is still advised.
Refer to the MyAAC project's official website or security advisories for the latest information and updates regarding this vulnerability.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.