Platform
php
Component
cves
Opgelost in
1.0.1
CVE-2023-7149 is a cross-site scripting (XSS) vulnerability affecting versions 1.0 through 1.0 of the QR Code Generator. An attacker can exploit this flaw by manipulating the 'file' parameter in the /download.php?file=author.png endpoint, potentially leading to the execution of arbitrary JavaScript code in a victim's browser. A fix is available in version 1.0.1, and the vulnerability details have been publicly disclosed.
Successful exploitation of CVE-2023-7149 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive information like cookies and credentials. The vulnerability resides in the file download functionality, specifically the handling of the 'file' parameter. The attacker can craft a malicious URL containing a payload that, when accessed, executes the injected script. The impact is amplified if the QR Code Generator is integrated into a larger application or used to generate codes for sensitive data, as the attacker could potentially compromise the entire system.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. No known active campaigns targeting this specific vulnerability have been reported, but the availability of public information makes it a potential target for opportunistic attackers. The identifier VDB-249153 has been assigned to this vulnerability. It is not currently listed on CISA KEV.
Websites and applications that utilize the QR Code Generator component, particularly those that allow users to download files generated by the component, are at risk. Shared hosting environments where multiple users share the same server resources are also at increased risk, as a compromise of one user's QR Code Generator instance could potentially impact other users on the same server.
• php / web:
grep -r "onerror=alert(document.domain)" /var/www/html/• generic web:
curl -I 'http://your-website.com/download.php?file=author.png%22%3EiMg%20src=N%20onerror=alert(document.domain)%3E' | grep -i 'alert(document.domain)'disclosure
Exploit Status
EPSS
0.13% (32% percentiel)
CVSS-vector
The primary mitigation for CVE-2023-7149 is to upgrade to version 1.0.1 of the QR Code Generator. This version includes a fix that addresses the vulnerable parameter handling. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'file' parameter to prevent the injection of malicious code. Additionally, implement a Web Application Firewall (WAF) with rules to detect and block requests containing suspicious characters or patterns in the 'file' parameter. Regularly review and update the QR Code Generator's codebase to identify and address potential vulnerabilities. After upgrading, confirm the fix by attempting to access the vulnerable endpoint with a malicious payload and verifying that the script is not executed.
Actualizar a una versión parcheada o deshabilitar/eliminar el componente vulnerable. Validar y limpiar las entradas del usuario, especialmente el parámetro 'file' en el script '/download.php', para evitar la inyección de código malicioso. Implementar una política de seguridad de contenido (CSP) para mitigar los ataques XSS.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2023-7149 is a cross-site scripting (XSS) vulnerability in QR Code Generator versions 1.0 through 1.0, allowing attackers to inject malicious scripts via the 'file' parameter in the download endpoint.
You are affected if you are using QR Code Generator versions 1.0 through 1.0 and have not upgraded to version 1.0.1.
Upgrade to version 1.0.1 of QR Code Generator. As a temporary workaround, implement input validation and sanitization on the 'file' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the VDB entry (VDB-249153) for details and potentially vendor advisories if available.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.