Plataforma
php
Componente
cve_hub
Corrigido em
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Best Courier Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data integrity. The vulnerability resides in the manageparcelstatus.php file and is triggered by manipulating the id parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2023-5273 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. The attacker could potentially gain access to sensitive information stored within the Best Courier Management System, such as customer data, shipment details, and administrative credentials. Given the nature of courier management systems, this could expose personally identifiable information (PII) and financial data.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. No known active campaigns have been reported at the time of writing, but the availability of a public exploit significantly elevates the threat. The vulnerability is tracked as VDB-240886. It is not currently listed on CISA KEV.
Organizations utilizing Best Courier Management System, particularly those with limited security resources or those running older, unpatched versions, are at significant risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromise of one user could potentially impact others.
• php / web:
grep -r "id = $_GET['id']" /var/www/html/manage_parcel_status.php• generic web:
curl -I http://your-courier-system.com/manage_parcel_status.php?id=<script>alert(1)</script>disclosure
patch
Status do Exploit
EPSS
0.07% (percentil 21%)
Vetor CVSS
The primary mitigation for CVE-2023-5273 is to immediately upgrade to Best Courier Management System version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the id parameter in manageparcelstatus.php to sanitize user-supplied data. While a Web Application Firewall (WAF) might offer some protection, it is not a substitute for patching the vulnerability. Thoroughly test the upgrade in a staging environment before deploying to production to avoid any compatibility issues.
Actualizar a una versión parcheada del software. Si no hay una versión disponible, sanitizar la entrada del parámetro 'id' en el archivo manage_parcel_status.php para evitar la inyección de código malicioso. Validar y escapar los datos antes de mostrarlos en la página.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2023-5273 is a cross-site scripting (XSS) vulnerability affecting Best Courier Management System versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'id' parameter in manageparcelstatus.php.
You are affected if you are using Best Courier Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to Best Courier Management System version 1.0.1 or later. Input validation and output encoding can be temporary workarounds.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2023-5273.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.