Plataforma
php
Componente
recentthreads
CVE-2019-25093 describes a problematic cross-site scripting (XSS) vulnerability discovered in the Recent Threads on Index component of Dragonexpert. This vulnerability allows attackers to inject malicious scripts through manipulation of the recentthread_forumskip argument. The vulnerability affects versions prior to patch 051465d807a8fcc6a8b0f4bcbb19299672399f48, and a patch is available to resolve the issue.
Successful exploitation of CVE-2019-25093 allows an attacker to inject arbitrary JavaScript code into the web page viewed by other users. This can lead to various malicious actions, including session hijacking, defacement of the website, and redirection to phishing sites. The attacker could potentially steal sensitive user data, such as cookies and authentication tokens, or compromise the entire system if the user has elevated privileges. The impact is particularly severe if the affected component is used in a high-traffic area of the website, as a single successful injection could affect a large number of users.
CVE-2019-25093 was disclosed in 2019 and published to the NVD on January 2, 2023. There are no known active campaigns targeting this specific vulnerability. Public proof-of-concept exploits are not widely available, suggesting a relatively low exploitation probability. The vulnerability's CVSS score of 2.4 (LOW) further supports this assessment.
Websites utilizing the Dragonexpert Recent Threads on Index plugin and running versions prior to the patched version are at risk. Shared hosting environments where multiple websites share the same server and plugin installation are particularly vulnerable, as a compromise of one website could potentially affect others.
• php / web:
grep -r 'recentthread_forumskip' /var/www/html/inc/plugins/recentthreads/hooks.php• generic web:
curl -I http://your-website.com/inc/plugins/recentthreads/hooks.php?recentthread_forumskip=<script>alert(1)</script>discovery
disclosure
Status do Exploit
EPSS
0.34% (percentil 56%)
Vetor CVSS
The primary mitigation for CVE-2019-25093 is to apply the provided patch: 051465d807a8fcc6a8b0f4bcbb19299672399f48. Before applying the patch, it's recommended to back up the inc/plugins/recentthreads/hooks.php file. If applying the patch directly is not feasible, consider implementing input validation and sanitization on the recentthreadforumskip parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. After applying the patch, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the recentthreadforumskip parameter and verifying that it is not executed.
Actualice el plugin Recent Threads on Index a la última versión disponible. La vulnerabilidad ha sido parcheada en la versión posterior al commit 051465d807a8fcc6a8b0f4bcbb19299672399f48. Consulte el registro de cambios del plugin para obtener más detalles sobre la actualización.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2019-25093 is a cross-site scripting (XSS) vulnerability in the Dragonexpert Recent Threads on Index plugin, allowing attackers to inject malicious scripts via the recentthread_forumskip parameter.
You are affected if you are using Dragonexpert Recent Threads on Index prior to version 051465d807a8fcc6a8b0f4bcbb19299672399f48.
Apply the patch 051465d807a8fcc6a8b0f4bcbb19299672399f48. Back up the hooks.php file before applying.
There are no known active campaigns targeting CVE-2019-25093 at this time, but it remains a potential risk.
Refer to the VDB entry (VDB-217182) for more information and potential links to the Dragonexpert advisory.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.