平台
php
修复版本
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Best Courier Management System versions 1.0 through 1.0. This flaw resides within the Manage Account Page component, allowing attackers to inject malicious scripts through manipulation of the 'First Name' parameter. The vulnerability is remotely exploitable and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of CVE-2023-5302 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, phishing attacks, and defacement of the application. An attacker could steal sensitive user data, such as login credentials or personal information, or redirect users to malicious websites. The blast radius is limited to users interacting with the Manage Account Page, but the potential for widespread impact exists if the application has a large user base.
This vulnerability has been publicly disclosed and assigned the identifier VDB-240941. While no active exploitation campaigns have been definitively linked to CVE-2023-5302 at the time of writing, the public availability of the vulnerability increases the risk of exploitation. It is not currently listed on CISA KEV. The LOW CVSS score reflects the limited scope and relatively simple exploitation process.
Organizations utilizing Best Courier Management System, particularly those with publicly accessible instances and limited security controls, are at risk. Shared hosting environments where multiple users share the same server are also particularly vulnerable, as a compromised account could potentially impact other users on the same server.
• wordpress / composer / npm:
grep -r "First Name" /var/www/html/best-courier-management-system/• generic web:
curl -s -X POST "http://your-best-courier-management-system/manage_account.php" -d "First_Name=<script>alert('XSS')</script>"disclosure
patch
漏洞利用状态
EPSS
0.07% (22% 百分位)
CVSS 向量
The primary mitigation for CVE-2023-5302 is to immediately upgrade to version 1.0.1 of Best Courier Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'First Name' field to sanitize user-supplied data. While not a complete solution, this can reduce the risk of successful exploitation. Reviewing and hardening the application's security configuration, including implementing a Web Application Firewall (WAF) with XSS protection rules, can also provide an additional layer of defense. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'First Name' field and verifying that the script is not executed.
Actualice Best Courier Management System a una versión posterior a la 1.0 o aplique el parche proporcionado por el proveedor para corregir la vulnerabilidad XSS en la página de administración de cuentas. Valide y escape las entradas del usuario en el campo 'First Name' para evitar la inyección de scripts maliciosos. Consulte las referencias proporcionadas para obtener más detalles sobre la vulnerabilidad y las posibles soluciones.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2023-5302 is a cross-site scripting (XSS) vulnerability affecting Best Courier Management System versions 1.0–1.0. It allows attackers to inject malicious scripts via the Manage Account Page's 'First Name' field.
You are affected if you are using Best Courier Management System version 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'First Name' field.
While no active exploitation campaigns have been definitively linked, the public disclosure increases the risk of exploitation.
Refer to the SourceCodester website or relevant security forums for the official advisory regarding CVE-2023-5302.