CVE-2023-36118 - Vulnerability Details - OpenCVE

Cross Site Scripting vulnerability in Faculty Evaulation System using PHP/MySQLi v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the page parameter.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Faculty Evaulation System Project	Faculty Evaulation System

Configuration 1 [-]

cpe:2.3:a:faculty_evaulation_system_project:faculty_evaulation_system:1.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/172672/Faculty-Evaluation-System-1.0-Shell-Upload.html
https://github.com/Trinity-SYT-SECURITY/XSS_vuln_issue/blob/main/Faculty%20Evaluation%20System%20v1.0.md
https://hackmd.io/%40SY-T/Hy6HvwxPn
https://www.chtsecurity.com/news/4ffbe017-70e1-4789-bfe6-4d6fb0d1a0b7
https://www.chtsecurity.com/news/5282e0af-7c45-43b0-9869-9becee7d6d70

History

Thu, 17 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-01T00:00:00

Updated: 2024-10-17T20:36:31.502Z

Reserved: 2023-06-21T00:00:00

Link: CVE-2023-36118

Vulnrichment

Updated: 2024-08-02T16:37:41.270Z

NVD

Status : Modified

Published: 2023-08-01T23:15:30.217

Modified: 2024-11-21T08:09:18.763

Link: CVE-2023-36118

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-36118", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-17T20:36:31.502Z", "dateReserved": "2023-06-21T00:00:00", "datePublished": "2023-08-01T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-02T00:00:00"}, "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Faculty Evaulation System using PHP/MySQLi v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the page parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://packetstormsecurity.com/files/172672/Faculty-Evaluation-System-1.0-Shell-Upload.html"}, {"url": "https://hackmd.io/%40SY-T/Hy6HvwxPn"}, {"url": "https://github.com/Trinity-SYT-SECURITY/XSS_vuln_issue/blob/main/Faculty%20Evaluation%20System%20v1.0.md"}, {"url": "https://www.chtsecurity.com/news/4ffbe017-70e1-4789-bfe6-4d6fb0d1a0b7"}, {"url": "https://www.chtsecurity.com/news/5282e0af-7c45-43b0-9869-9becee7d6d70"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:37:41.270Z"}, "title": "CVE Program Container", "references": [{"url": "http://packetstormsecurity.com/files/172672/Faculty-Evaluation-System-1.0-Shell-Upload.html", "tags": ["x_transferred"]}, {"url": "https://hackmd.io/%40SY-T/Hy6HvwxPn", "tags": ["x_transferred"]}, {"url": "https://github.com/Trinity-SYT-SECURITY/XSS_vuln_issue/blob/main/Faculty%20Evaluation%20System%20v1.0.md", "tags": ["x_transferred"]}, {"url": "https://www.chtsecurity.com/news/4ffbe017-70e1-4789-bfe6-4d6fb0d1a0b7", "tags": ["x_transferred"]}, {"url": "https://www.chtsecurity.com/news/5282e0af-7c45-43b0-9869-9becee7d6d70", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-17T20:36:22.484288Z", "id": "CVE-2023-36118", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-17T20:36:31.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://packetstormsecurity.com/files/172672/Faculty-Evaluation-System-1.0-Shell-Upload.html", "tags": ["x_transferred"]}, {"url": "https://hackmd.io/%40SY-T/Hy6HvwxPn", "tags": ["x_transferred"]}, {"url": "https://github.com/Trinity-SYT-SECURITY/XSS_vuln_issue/blob/main/Faculty%20Evaluation%20System%20v1.0.md", "tags": ["x_transferred"]}, {"url": "https://www.chtsecurity.com/news/4ffbe017-70e1-4789-bfe6-4d6fb0d1a0b7", "tags": ["x_transferred"]}, {"url": "https://www.chtsecurity.com/news/5282e0af-7c45-43b0-9869-9becee7d6d70", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:37:41.270Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-36118", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-17T20:36:22.484288Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-17T20:36:26.735Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://packetstormsecurity.com/files/172672/Faculty-Evaluation-System-1.0-Shell-Upload.html"}, {"url": "https://hackmd.io/%40SY-T/Hy6HvwxPn"}, {"url": "https://github.com/Trinity-SYT-SECURITY/XSS_vuln_issue/blob/main/Faculty%20Evaluation%20System%20v1.0.md"}, {"url": "https://www.chtsecurity.com/news/4ffbe017-70e1-4789-bfe6-4d6fb0d1a0b7"}, {"url": "https://www.chtsecurity.com/news/5282e0af-7c45-43b0-9869-9becee7d6d70"}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Faculty Evaulation System using PHP/MySQLi v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the page parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-02T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2023-36118", "state": "PUBLISHED", "dateUpdated": "2024-10-17T20:36:31.502Z", "dateReserved": "2023-06-21T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-08-01T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:faculty_evaulation_system_project:faculty_evaulation_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6B643718-99F1-4294-92FF-6BD77BE0CE22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Faculty Evaulation System using PHP/MySQLi v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the page parameter."}, {"lang": "es", "value": "La vulnerabilidad Cross Site Scripting (XSS) en Faculty Evaluation System usando PHP/MySQLi v.1.0 permite a un atacante ejecutar c\u00f3digo arbitrario a trav\u00e9s de una carga \u00fatil manipulada en el par\u00e1metro de la page."}], "id": "CVE-2023-36118", "lastModified": "2024-11-21T08:09:18.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-01T23:15:30.217", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/172672/Faculty-Evaluation-System-1.0-Shell-Upload.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Trinity-SYT-SECURITY/XSS_vuln_issue/blob/main/Faculty%20Evaluation%20System%20v1.0.md"}, {"source": "cve@mitre.org", "url": "https://hackmd.io/%40SY-T/Hy6HvwxPn"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.chtsecurity.com/news/4ffbe017-70e1-4789-bfe6-4d6fb0d1a0b7"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/5282e0af-7c45-43b0-9869-9becee7d6d70"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/172672/Faculty-Evaluation-System-1.0-Shell-Upload.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Trinity-SYT-SECURITY/XSS_vuln_issue/blob/main/Faculty%20Evaluation%20System%20v1.0.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://hackmd.io/%40SY-T/Hy6HvwxPn"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.chtsecurity.com/news/4ffbe017-70e1-4789-bfe6-4d6fb0d1a0b7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/5282e0af-7c45-43b0-9869-9becee7d6d70"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}