Vulnerability-Lookup

CNVD-2023-38188

Vulnerability from cnvd - Published: 2023-05-18

Title

Service Provider Management System跨站脚本漏洞

Description

Service Provider Management System是Carlo Montero个人开发者的一个基于web的应用程序。旨在为服务提供商公司提供动态网站。 Service Provider Management System 1.0版本存在跨站脚本漏洞，该漏洞源于对参数page的错误操作导致跨站脚本编写，攻击者可利用该漏洞通过注入精心设计的有效载荷执行任意Web脚本或HTML。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html

Reference

https://github.com/E1CHO/cve_hub/blob/main/Service%20Provider%20Management%20System/Service%20Provider%20Management%20System%20-%20vuln%204.pdf

Impacted products

Name
Carlo Montero Service Provider Management System v1.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-2349",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-2349"
    }
  },
  "description": "Service Provider Management System\u662fCarlo Montero\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u4e2a\u57fa\u4e8eweb\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\u65e8\u5728\u4e3a\u670d\u52a1\u63d0\u4f9b\u5546\u516c\u53f8\u63d0\u4f9b\u52a8\u6001\u7f51\u7ad9\u3002\n\nService Provider Management System 1.0\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9\u53c2\u6570page\u7684\u9519\u8bef\u64cd\u4f5c\u5bfc\u81f4\u8de8\u7ad9\u811a\u672c\u7f16\u5199\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6ce8\u5165\u7cbe\u5fc3\u8bbe\u8ba1\u7684\u6709\u6548\u8f7d\u8377\u6267\u884c\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-38188",
  "openTime": "2023-05-18",
  "products": {
    "product": "Carlo Montero Service Provider Management System v1.0"
  },
  "referenceLink": "https://github.com/E1CHO/cve_hub/blob/main/Service%20Provider%20Management%20System/Service%20Provider%20Management%20System%20-%20vuln%204.pdf",
  "serverity": "\u4e2d",
  "submitTime": "2023-05-05",
  "title": "Service Provider Management System\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2023-2349 (GCVE-0-2023-2349)

Vulnerability from cvelistv5 – Published: 2023-04-27 15:00 – Updated: 2024-11-22 19:52

Title

SourceCodester Service Provider Management System index.php cross site scripting

Summary

A vulnerability classified as problematic has been found in SourceCodester Service Provider Management System 1.0. Affected is an unknown function of the file /admin/index.php. The manipulation of the argument page leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227592.

Severity ?

3.5 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

3.5 (Low)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE

CWE-79 - Cross Site Scripting

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.227592	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.227592	signaturepermissions-required
	https://github.com/E1CHO/cve_hub/blob/main/Servic…	exploit

Impacted products

	Vendor	Product	Version
	SourceCodester	Service Provider Management System	Affected: 1.0

Credits

SSL_Seven_Security Lab_WangZhiQiang_XiaoZiLong (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:19:14.898Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.227592"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.227592"
          },
          {
            "tags": [
              "exploit",
              "x_transferred"
            ],
            "url": "https://github.com/E1CHO/cve_hub/blob/main/Service%20Provider%20Management%20System/Service%20Provider%20Management%20System%20-%20vuln%204.pdf"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-2349",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-04T19:03:10.256798Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-22T19:52:59.163Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Service Provider Management System",
          "vendor": "SourceCodester",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "SSL_Seven_Security Lab_WangZhiQiang_XiaoZiLong (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as problematic has been found in SourceCodester Service Provider Management System 1.0. Affected is an unknown function of the file /admin/index.php. The manipulation of the argument page leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227592."
        },
        {
          "lang": "de",
          "value": "Es wurde eine problematische Schwachstelle in SourceCodester Service Provider Management System 1.0 entdeckt. Es geht dabei um eine nicht klar definierte Funktion der Datei /admin/index.php. Mit der Manipulation des Arguments page mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross Site Scripting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-22T16:08:41.325Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.227592"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.227592"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/E1CHO/cve_hub/blob/main/Service%20Provider%20Management%20System/Service%20Provider%20Management%20System%20-%20vuln%204.pdf"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-04-27T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-04-27T00:00:00.000Z",
          "value": "CVE reserved"
        },
        {
          "lang": "en",
          "time": "2023-04-27T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2023-05-21T09:54:52.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "SourceCodester Service Provider Management System index.php cross site scripting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2023-2349",
    "datePublished": "2023-04-27T15:00:09.075Z",
    "dateReserved": "2023-04-27T13:38:11.152Z",
    "dateUpdated": "2024-11-22T19:52:59.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-38188

CVE-2023-2349 (GCVE-0-2023-2349)

Tags

Sightings

Nomenclature