1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Online Food Ordering System version 1.0. This flaw resides within the /dbfood/food.php file and allows attackers to inject malicious scripts through manipulation of the 'cuisines' argument. Successful exploitation can lead to session hijacking or defacement of the application, impacting users of version 1.0. A fix is expected from the vendor.
The XSS vulnerability in Online Food Ordering System allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The public availability of an exploit significantly increases the risk of exploitation, potentially impacting a wide range of users who rely on the system for online food ordering.
The vulnerability is publicly disclosed and a proof-of-concept exploit is available, indicating a higher likelihood of exploitation. The CVSS score of 2.4 (LOW) suggests the vulnerability is relatively easy to exploit but has limited impact. It is not currently listed on CISA KEV as of this writing.
Businesses and individuals using the Online Food Ordering System version 1.0 are at risk, particularly those who have not implemented robust input validation and sanitization practices. Shared hosting environments where multiple applications share the same server are also at increased risk, as a compromised application could potentially impact others.
• php / web:
grep -r 'cuisines' /var/www/html/dbfood/food.php• generic web:
curl -I <affected_url>/dbfood/food.php?cuisines=<script>alert(1)</script>• generic web: Check access logs for requests to /dbfood/food.php with unusual or suspicious values in the cuisines parameter.
disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
While a patch is pending, immediate mitigation steps can reduce the risk. Input validation and sanitization on the 'cuisines' parameter within /dbfood/food.php is crucial. Implement strict output encoding to prevent injected scripts from being executed. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly monitor application logs for suspicious activity related to the /dbfood/food.php endpoint.
将 Online Food Ordering System 系统更新到已修复跨站脚本 (XSS) 漏洞的补丁版本。如果不可用,建议实施额外的安全措施,例如验证和清理用户输入,以防止 XSS 攻击。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4899 is a cross-site scripting (XSS) vulnerability in Online Food Ordering System version 1.0, affecting the /dbfood/food.php file. Attackers can inject malicious scripts by manipulating the 'cuisines' argument.
If you are using Online Food Ordering System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
The vendor is expected to release a patch. Until then, implement input validation, output encoding, and consider using a WAF to mitigate the risk.
A public exploit exists, suggesting a higher likelihood of active exploitation. Monitor your application and logs for suspicious activity.
Refer to the Online Food Ordering System website or vendor communication channels for the official advisory and patch information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。