平台
php
组件
5992b65cca5612c036f1d31d8d8f0646
修复版本
1.0.1
CVE-2026-4973 describes a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Quiz System versions up to 1.0. This flaw resides within the /add-question.php file endpoint and allows attackers to inject malicious scripts by manipulating the quiz_question parameter. Successful exploitation could lead to session hijacking or defacement. A patch is expected, and temporary mitigation strategies are available.
An attacker can exploit this XSS vulnerability to inject arbitrary JavaScript code into the SourceCodester Online Quiz System. This code could be executed in the context of a user's browser when they access the affected page. The impact ranges from simple defacement of the quiz system to more severe consequences like stealing user session cookies, redirecting users to malicious websites, or even gaining control of the user's account. Given the quiz system's potential use in educational or assessment settings, this could compromise sensitive user data and system integrity. The public availability of the exploit increases the risk of immediate exploitation.
CVE-2026-4973 has been publicly disclosed and a proof-of-concept exploit is available, indicating a higher probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. The LOW CVSS score reflects the relatively simple exploitation path and potential impact, but the availability of a PoC significantly increases the risk.
Organizations and individuals using SourceCodester Online Quiz System version 1.0, particularly those hosting the application on shared hosting environments or without robust security monitoring, are at increased risk. Educational institutions and businesses relying on the quiz system for assessments or training are also vulnerable.
• php / web:
curl -s -X POST "http://<target>/add-question.php?quiz_question=<script>alert('XSS')</script>" | grep "<script>alert('XSS')</script>"• generic web:
curl -I http://<target>/add-question.php?quiz_question=<script>alert('XSS')</script>• generic web: Examine access logs for requests to /add-question.php containing suspicious JavaScript code in the quiz_question parameter.
disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-4973 is to upgrade to a patched version of SourceCodester Online Quiz System as soon as it becomes available. Until then, several temporary measures can be implemented. First, implement strict input sanitization on the quizquestion parameter within the /add-question.php file. Second, configure a Web Application Firewall (WAF) to filter out potentially malicious JavaScript code. Third, review and harden the application's security configuration, ensuring proper output encoding and escaping. After applying mitigations, verify the fix by attempting to inject a simple JavaScript payload through the quizquestion parameter and confirming it is not executed.
升级 SourceCodester Online Quiz System 到 1.0 之后的版本。如果不可用,建议禁用或删除易受攻击的组件。作为临时措施,可以在 add-question.php 文件中实施对 'quiz_question' 输入的彻底验证和清理,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4973 is a cross-site scripting (XSS) vulnerability in SourceCodester Online Quiz System versions up to 1.0, allowing attackers to inject malicious scripts via the /add-question.php endpoint.
If you are using SourceCodester Online Quiz System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it's available.
The recommended fix is to upgrade to a patched version of SourceCodester Online Quiz System. Until then, implement input sanitization and WAF rules.
A proof-of-concept exploit is publicly available, suggesting a high probability of active exploitation.
Refer to the SourceCodester website and security forums for updates and advisories regarding CVE-2026-4973.