A cross-site scripting (XSS) vulnerability has been identified in code-projects Online Reviewer System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides in the /system/system/admins/manage/users/btn_functions.php file, specifically through manipulation of the 'firstname' argument. A fix is pending, and mitigation strategies are crucial.
Successful exploitation of CVE-2026-2224 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online Reviewer System. This can lead to various malicious actions, including session hijacking, phishing attacks, and defacement of the application. An attacker could steal sensitive user data, such as login credentials or personal information, and potentially gain unauthorized access to administrative functions. The public availability of the exploit significantly increases the risk of widespread exploitation.
The exploit for CVE-2026-2224 is publicly available, indicating a high probability of exploitation. The vulnerability has been added to the NVD database on 2026-02-09. Given the ease of exploitation and public availability, organizations using Online Reviewer System 1.0 should prioritize implementing mitigation strategies immediately.
Organizations utilizing the Online Reviewer System 1.0, particularly those with publicly accessible admin interfaces, are at significant risk. Shared hosting environments where multiple users share the same server resources are especially vulnerable, as a compromise of one user could potentially impact others.
• php / web:
grep -r 'firstname = $_POST' /var/www/html/• generic web:
curl -I <target_url>/system/system/admins/manage/users/btn_functions.php?firstname=<script>alert(1)</script>• generic web:
grep -r 'firstname = $_POST' /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.03% (8% 百分位)
CISA SSVC
CVSS 向量
While a patch is not yet available, several mitigation steps can be implemented to reduce the risk of exploitation. Input sanitization is paramount; rigorously validate and sanitize all user-supplied data, particularly the 'firstname' parameter in /system/system/admins/manage/users/btn_functions.php. Implementing a Web Application Firewall (WAF) with XSS protection rules can also effectively block malicious requests. Consider using a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Regularly review and update the application's codebase to identify and address potential vulnerabilities.
将 Online Reviewer System 系统更新到 1.0 之后的版本,如果存在,以修复 btn_functions.php 文件中的跨站脚本 (XSS) 漏洞。或者,sanitize 用户输入,特别是 'firstname' 参数,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-2224 is a cross-site scripting (XSS) vulnerability in Online Reviewer System 1.0, allowing attackers to inject malicious scripts via the firstname parameter. It's rated as LOW severity.
If you are using Online Reviewer System version 1.0, you are potentially affected. Immediate mitigation steps are recommended until a patch is released.
A patch is not yet available. Mitigate by implementing input sanitization, WAF rules, and a Content Security Policy (CSP).
The exploit is publicly available, suggesting a high probability of active exploitation. Organizations should act quickly to mitigate the risk.
Refer to the NVD entry for CVE-2026-2224 for the latest information and any official advisories from code-projects.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。