平台
php
组件
cvesmarz
修复版本
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in the Online Reviewer System, affecting versions up to 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the btn_functions.php file, specifically in an unknown function handling the 'Description' argument. Public disclosure of this exploit highlights the urgency of remediation.
Successful exploitation of CVE-2026-4972 allows an attacker to inject arbitrary JavaScript code into the Online Reviewer System. This code can then be executed in the context of a victim's browser when they access a vulnerable page. The impact ranges from session hijacking and defacement to the theft of sensitive information, such as user credentials or personal data. The remote nature of the vulnerability means attackers do not need local access to exploit it. While the CVSS score is LOW, the potential for widespread impact through user interaction should not be underestimated, particularly in environments with many users.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The exploit is readily available, making it accessible to a wide range of attackers. The vulnerability is not currently listed on CISA KEV. Given the public availability of the exploit and the ease of execution, proactive mitigation is strongly recommended.
Organizations utilizing the Online Reviewer System, particularly those with a large user base or sensitive data, are at risk. Shared hosting environments where multiple users share the same server and application instance are especially vulnerable, as an attacker could potentially compromise other users through this XSS vulnerability.
• php / server:
grep -r "btn_functions.php" /var/www/html/• generic web:
curl -I http://your-online-reviewer-system/system/system/students/assessments/databank/btn_functions.php | grep -i "X-XSS-Protection"disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-4972 is to upgrade to a patched version of the Online Reviewer System (a fixed version is not specified in the provided data). In the absence of a patch, implement robust input validation on the 'Description' argument within btn_functions.php to prevent the injection of malicious scripts. Strict output encoding, particularly when displaying user-supplied data, is also crucial. Consider implementing a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting this specific vulnerability. Review and update existing security policies to emphasize the importance of secure coding practices and regular vulnerability scanning.
升级到已打补丁的版本,或应用供应商推荐的安全措施以缓解 XSS 漏洞。验证并清理用户输入,特别是 'Description' 字段,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4972 is a cross-site scripting (XSS) vulnerability affecting Online Reviewer System versions up to 1.0. It allows attackers to inject malicious scripts via the Description argument, potentially compromising user sessions.
If you are using Online Reviewer System version 1.0, you are potentially affected. Assess your environment and implement mitigations immediately.
Upgrade to a patched version of Online Reviewer System. If a patch is unavailable, implement input validation and output encoding to prevent script injection.
The vulnerability has been publicly disclosed and an exploit is available, increasing the likelihood of active exploitation. Proactive mitigation is recommended.
Refer to the Online Reviewer System project's official website or security advisory page for updates and information regarding CVE-2026-4972.