CVE Catalog

CVE-2023-3005

LowCVSS 3.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.62%

45th percentile — higher than 45% of all known CVEs

Summary

A vulnerability was found in SourceCodester Local Service Search Engine Management System version 1.0 that allows cross-site scripting (XSS) attacks through manipulation of the POST parameter in the /admin/ajax.php file. Inputting a malicious script like <script>alert(document.cookie)</script> can lead to unauthorized access to user data.

Risk Assessment

This vulnerability poses a risk of remote attacks, potentially leading to the theft of user session data and other sensitive information. The public disclosure of the exploit increases the likelihood of it being used by cybercriminals.

Recommendation

It is recommended to immediately update the system to the latest version that addresses this vulnerability. Additionally, implementing security measures against XSS attacks, such as input validation and sanitization, is advisable.

Original NVD description (English source)

A vulnerability, which was classified as problematic, was found in SourceCodester Local Service Search Engine Management System 1.0. This affects an unknown part of the file /admin/ajax.php?action=save_area of the component POST Parameter Handler. The manipulation of the argument area with the input <script>alert(document.cookie)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230349 was assigned to this vulnerability.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS