Plataforma
php
Componente
faculty-management-system
Corrigido em
1.0.1
CVE-2023-7056 is a problematic cross-site scripting (XSS) vulnerability identified in the Faculty Management System version 1.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The affected component is the /admin/pages/subjects.php file, specifically the handling of the Description/Units argument. A patch is available in version 1.0.1.
The XSS vulnerability in Faculty Management System allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited by crafting a malicious URL or form submission that includes the injected script. When a user with administrative privileges visits the affected page, the script will execute in their browser context, potentially granting the attacker access to sensitive data, such as user credentials or administrative controls. The attacker could also redirect users to a malicious website or modify the content of the page to display misleading information. Successful exploitation requires a user to interact with the malicious content, such as clicking a crafted link or submitting a specially crafted form.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is 2.4 (LOW), indicating a relatively low probability of exploitation in most environments. It is not currently listed on CISA KEV. The public disclosure date suggests that attackers may have already begun scanning for vulnerable instances of the Faculty Management System.
Administrators and users with access to the /admin/pages/subjects.php page are at risk. Shared hosting environments running Faculty Management System 1.0 are particularly vulnerable, as they may be easier targets for attackers.
• php / web:
curl -I 'http://your-faculty-management-system/admin/pages/subjects.php?Description/Units=<script>alert(1)</script>' | grep -i 'content-type'• php / web: Examine the /admin/pages/subjects.php file for unescaped output of the Description/Units variable.
• generic web: Review access logs for suspicious requests to /admin/pages/subjects.php with unusual parameters in the Description/Units field.
• generic web: Check for any unusual JavaScript code being injected into the page source code.
disclosure
Status do Exploit
EPSS
0.10% (percentil 28%)
Vetor CVSS
The primary mitigation for CVE-2023-7056 is to upgrade the Faculty Management System to version 1.0.1 or later, which contains the fix for this vulnerability. If upgrading is not immediately possible, consider implementing input validation and output encoding on the Description/Units argument in the /admin/pages/subjects.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Regularly review and update the application's security configuration to minimize the risk of exploitation. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Description/Units field and verifying that it is properly sanitized.
Actualizar a una versión parcheada del sistema Faculty Management System. Si no hay una versión parcheada disponible, sanitizar las entradas de los campos 'Description' y 'Units' en el archivo /admin/pages/subjects.php para evitar la inyección de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2023-7056 is a cross-site scripting (XSS) vulnerability affecting Faculty Management System version 1.0, allowing attackers to inject malicious scripts via the /admin/pages/subjects.php file.
You are affected if you are running Faculty Management System version 1.0 and have not upgraded to version 1.0.1 or later.
Upgrade to Faculty Management System version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround.
While exploitation is possible due to public disclosure, there is no confirmed widespread exploitation at this time.
Refer to the Faculty Management System project's official website or repository for the advisory related to CVE-2023-7056.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.