平台
php
组件
online-motorcycle-rental-system
修复版本
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Motorcycle Rental System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides in the /admin/?page=bike file, specifically within the handling of the Model parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2023-5585 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as session cookies, which can then be used to impersonate the user and gain unauthorized access to the administrative panel. An attacker could also deface the website or redirect users to malicious sites. The impact is particularly severe for administrators, as their accounts could be compromised, granting the attacker full control over the motorcycle rental system.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is 2.4 (LOW), indicating a limited impact. It is not currently listed on CISA KEV. The vulnerability's location within the administrative interface suggests that exploitation would likely require an attacker to have some level of access to the system, or be able to trick an administrator into clicking a malicious link.
Administrators of Online Motorcycle Rental System installations running versions 1.0–1.0 are at the highest risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromise of one user's account could potentially lead to the compromise of others.
• generic web: Use curl or wget to access /admin/?page=bike and inspect the response for signs of injected script tags.
curl -s -X POST /admin/?page=bike -d 'Model=<script>alert("XSS")</script>' | grep -i alert• php: Examine the source code of /admin/?page=bike for inadequate input validation or output encoding of the Model parameter. Search for functions like htmlspecialchars or strip_tags that are not being used correctly.
• generic web: Monitor access logs for unusual requests to /admin/?page=bike with suspicious parameters in the Model field.
disclosure
patch
漏洞利用状态
EPSS
0.04% (14% 百分位)
CVSS 向量
The primary mitigation for CVE-2023-5585 is to upgrade to version 1.0.1 of the Online Motorcycle Rental System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Model parameter in the /admin/?page=bike file. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script (e.g., <script>alert('XSS')</script>) in the Model parameter and verifying that the script does not execute.
Actualice el sistema Online Motorcycle Rental System a una versión parcheada o aplique las medidas de seguridad necesarias para evitar la inyección de código malicioso en el campo 'Model'. Valide y escape las entradas del usuario para prevenir ataques XSS.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2023-5585 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Motorcycle Rental System versions 1.0–1.0, allowing attackers to inject malicious scripts.
You are affected if you are running SourceCodester Online Motorcycle Rental System version 1.0 or 1.0. Check your version and upgrade immediately.
Upgrade to version 1.0.1. If upgrading is not possible, implement input validation and output encoding on the Model parameter.
While exploitation is possible due to public disclosure, there are no confirmed reports of active exploitation at this time.
Refer to the SourceCodester website or their official communication channels for the advisory regarding CVE-2023-5585.