Plataforma
php
Componente
flusity-cms
CVE-2023-5811 is a cross-site scripting (XSS) vulnerability discovered in flusity CMS. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. Due to flusity CMS's continuous delivery model, specific affected versions are not available, but the patch identifier is 6943991c62ed87c7a57989a0cb7077316127def8.
Successful exploitation of CVE-2023-5811 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the flusity CMS website. This can be leveraged to steal sensitive information, such as cookies and session tokens, enabling the attacker to impersonate the user. The attacker could also modify the content of the website, potentially defacing it or redirecting users to malicious sites. Given the nature of XSS, the impact can range from minor annoyance to complete compromise of user accounts and data, depending on the privileges of the affected user and the attacker's skill.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. There is no indication of it being listed on KEV or having a high EPSS score at this time. Public proof-of-concept exploits are likely to emerge given the ease of XSS exploitation. The vulnerability was published on 2023-10-27.
Organizations using flusity CMS, particularly those relying on its continuous delivery model without rigorous verification of applied patches, are at risk. Shared hosting environments where multiple users share the same flusity CMS instance are also particularly vulnerable, as an attacker could potentially compromise one user's account and gain access to others.
• php / web:
grep -r "menu_id" /var/www/flusity/core/tools/posts.php• generic web:
curl -I https://your-flusity-site.com/core/tools/posts.php?menu_id=<script>alert(1)</script>disclosure
Status do Exploit
EPSS
0.06% (percentil 17%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2023-5811 is to apply the provided patch: 6943991c62ed87c7a57989a0cb7077316127def8. Since flusity CMS uses a continuous delivery model, updates are typically applied automatically. However, it's crucial to verify that the patch has been successfully applied. Implement strict input validation and output encoding on all user-supplied data to prevent XSS vulnerabilities in the future. Consider using a Web Application Firewall (WAF) to filter out malicious requests. After applying the patch, confirm by inspecting the core/tools/posts.php file to ensure the patch identifier is present.
Aplicar el parche identificado como 6943991c62ed87c7a57989a0cb7077316127def8 para corregir la vulnerabilidad XSS en el archivo core/tools/posts.php. Debido a que el producto utiliza entrega continua, no hay versiones específicas afectadas o actualizadas disponibles. Se recomienda obtener el parche directamente del repositorio del proyecto y aplicarlo al código base.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2023-5811 is a cross-site scripting (XSS) vulnerability in flusity CMS that allows attackers to inject malicious scripts via the menu_id parameter, potentially leading to account compromise.
If you are using flusity CMS and have not verified the application of patch 6943991c62ed87c7a57989a0cb7077316127def8, you are potentially affected.
Apply the patch 6943991c62ed87c7a57989a0cb7077316127def8. Verify the patch application by inspecting the core/tools/posts.php file.
The vulnerability has been publicly disclosed, so active exploitation is possible. Monitor your systems for suspicious activity.
Refer to the flusity CMS release notes and security advisories on their official website for details regarding this vulnerability and the associated patch.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.