Plataforma
php
Componente
niv_testing_sxss
Corrigido em
1.0.1
CVE-2023-6442 is a cross-site scripting (XSS) vulnerability affecting the PHPGurukul Nipah Virus Testing Management System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. A fix is available in version 1.0.1.
Successful exploitation of CVE-2023-6442 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious activities, including session hijacking, phishing attacks, and defacement of the application. Sensitive information, such as patient data or administrative credentials, could be stolen. The impact is amplified if the application is used in a healthcare setting, where patient privacy is paramount. The vulnerability's remote accessibility means attackers don't need local access to exploit it.
This vulnerability has been publicly disclosed and a corresponding identifier (VDB-246445) has been assigned. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant prompt remediation. No active exploitation campaigns have been publicly reported as of the publication date, but the availability of a public exploit increases the risk of future attacks. The vulnerability was published on 2023-11-30.
Healthcare organizations utilizing the Nipah Virus Testing Management System are particularly at risk, as the application likely handles sensitive patient data. Organizations with legacy configurations or those who haven't implemented robust input validation practices are also more vulnerable. Shared hosting environments where multiple applications share the same server resources could also be affected if one application is compromised.
• php: Examine the add-phlebotomist.php file for unsanitized use of the empid and fullname parameters in output. Look for patterns like echo $_GET['empid']; or similar without proper escaping.
// Example of vulnerable code
echo $_GET['empid'];• generic web: Monitor access logs for requests to add-phlebotomist.php containing suspicious characters or patterns commonly used in XSS attacks (e.g., <script>, <iframe>).
grep -i '<script' /var/log/apache2/access.log• generic web: Check response headers for the presence of X-XSS-Protection or Content-Security-Policy headers, which can help mitigate XSS attacks. Ensure these headers are properly configured.
disclosure
Status do Exploit
EPSS
0.15% (percentil 35%)
Vetor CVSS
The primary mitigation for CVE-2023-6442 is to upgrade to version 1.0.1 of the Nipah Virus Testing Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the add-phlebotomist.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Thoroughly review and sanitize all user inputs to prevent malicious code injection.
Actualizar a una versión parcheada o aplicar las mitigaciones proporcionadas por el proveedor. Validar y limpiar las entradas del usuario en el archivo add-phlebotomist.php, especialmente los parámetros empid y fullname, para evitar la inyección de código malicioso. Implementar una política de seguridad de contenido (CSP) para mitigar los ataques XSS.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2023-6442 is a cross-site scripting (XSS) vulnerability in PHPGurukul Nipah Virus Testing Management System versions 1.0–1.0, allowing attackers to inject malicious scripts.
You are affected if you are using PHPGurukul Nipah Virus Testing Management System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the add-phlebotomist.php file.
While no active exploitation campaigns have been publicly reported, the vulnerability is publicly disclosed and may be exploited.
Refer to the VDB identifier VDB-246445 for details and potentially related advisories.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.