免费扫描
LOWCVE-2026-4973CVSS 3.5

SourceCodester Online Quiz System add-question.php 跨站脚本漏洞

平台

php

组件

5992b65cca5612c036f1d31d8d8f0646

修复版本

1.0.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2026-4973 describes a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Quiz System versions up to 1.0. This flaw resides within the /add-question.php file endpoint and allows attackers to inject malicious scripts by manipulating the quiz_question parameter. Successful exploitation could lead to session hijacking or defacement. A patch is expected, and temporary mitigation strategies are available.

影响与攻击场景翻译中…

An attacker can exploit this XSS vulnerability to inject arbitrary JavaScript code into the SourceCodester Online Quiz System. This code could be executed in the context of a user's browser when they access the affected page. The impact ranges from simple defacement of the quiz system to more severe consequences like stealing user session cookies, redirecting users to malicious websites, or even gaining control of the user's account. Given the quiz system's potential use in educational or assessment settings, this could compromise sensitive user data and system integrity. The public availability of the exploit increases the risk of immediate exploitation.

利用背景翻译中…

CVE-2026-4973 has been publicly disclosed and a proof-of-concept exploit is available, indicating a higher probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. The LOW CVSS score reflects the relatively simple exploitation path and potential impact, but the availability of a PoC significantly increases the risk.

哪些人处于风险中翻译中…

Organizations and individuals using SourceCodester Online Quiz System version 1.0, particularly those hosting the application on shared hosting environments or without robust security monitoring, are at increased risk. Educational institutions and businesses relying on the quiz system for assessments or training are also vulnerable.

检测步骤翻译中…

• php / web:

curl -s -X POST "http://<target>/add-question.php?quiz_question=<script>alert('XSS')</script>" | grep "<script>alert('XSS')</script>"

• generic web:

curl -I http://<target>/add-question.php?quiz_question=<script>alert('XSS')</script>

• generic web: Examine access logs for requests to /add-question.php containing suspicious JavaScript code in the quiz_question parameter.

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.03% (9% 百分位)

CISA SSVC

利用情况poc
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R3.5LOWAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件5992b65cca5612c036f1d31d8d8f0646
供应商SourceCodester
影响范围修复版本
1.0 – 1.01.0.1

弱点分类 (CWE)

CWE-79CWE-94

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期
未修复 — 披露已58天

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-4973 is to upgrade to a patched version of SourceCodester Online Quiz System as soon as it becomes available. Until then, several temporary measures can be implemented. First, implement strict input sanitization on the quizquestion parameter within the /add-question.php file. Second, configure a Web Application Firewall (WAF) to filter out potentially malicious JavaScript code. Third, review and harden the application's security configuration, ensuring proper output encoding and escaping. After applying mitigations, verify the fix by attempting to inject a simple JavaScript payload through the quizquestion parameter and confirming it is not executed.

修复方法

升级 SourceCodester Online Quiz System 到 1.0 之后的版本。如果不可用,建议禁用或删除易受攻击的组件。作为临时措施,可以在 add-question.php 文件中实施对 'quiz_question' 输入的彻底验证和清理,以防止恶意代码注入。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-4973 — XSS in SourceCodester Online Quiz System?

CVE-2026-4973 is a cross-site scripting (XSS) vulnerability in SourceCodester Online Quiz System versions up to 1.0, allowing attackers to inject malicious scripts via the /add-question.php endpoint.

Am I affected by CVE-2026-4973 in SourceCodester Online Quiz System?

If you are using SourceCodester Online Quiz System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it's available.

How do I fix CVE-2026-4973 in SourceCodester Online Quiz System?

The recommended fix is to upgrade to a patched version of SourceCodester Online Quiz System. Until then, implement input sanitization and WAF rules.

Is CVE-2026-4973 being actively exploited?

A proof-of-concept exploit is publicly available, suggesting a high probability of active exploitation.

Where can I find the official SourceCodester advisory for CVE-2026-4973?

Refer to the SourceCodester website and security forums for updates and advisories regarding CVE-2026-4973.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE