VDB-249201 · CVE-2023-7166 · GCVE-100-249201

Novel-Plus Dok 4.2.0 HTTP POST Request /user/updateUserInfo nickName Skriptovanje preko sajta

Otkrivena je ranjivost klasifikovana kao Problematiиno u Novel-Plus Dok 4.2.0. Pogođeno je nepoznata funkcija u fajlu /user/updateUserInfo u komponenti HTTP POST Request Handler. Manipulacija argumentom nickName dovodi do Skriptovanje preko sajta. Upotreba CWE za identifikaciju problema vodi ka CWE-79. Slabost je objavljena 12/28/2023 kao c62da9bb3a9b3603014d0edb436146512631100d. Izveštaj je podeljen za preuzimanje na github.com. Ova bezbednosna slabost se vodi pod oznakom CVE-2023-7166. Postoji mogućnost pokretanja napada sa udaljene lokacije. Napad se mora sprovesti u okviru lokalne mreže. Tehničke informacije su dostupne. Додатно, постоји доступан експлоит. Eksploit je objavljen javnosti i može se koristiti. Trenutna cena za eksploataciju može biti približno USD $0-$5k u ovom trenutku. MITRE ATT&CK projekat navodi tehniku napada kao T1059.007. Proglašeno je za dokaz-of-koncept. Ekspoit je podeljen za preuzimanje na github.com. Kao 0-day, procenjena podzemna cena iznosila je oko $0-$5k. Ime zakrpe je c62da9bb3a9b3603014d0edb436146512631100d. Ispravka može biti preuzeta sa github.com. Preporučuje se instalacija zakrpe radi otklanjanja ovog problema. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

3 Promene · 75 Tačke podataka

Polje	Kreirali 12/28/2023 21:34	Ažurira 1/2 01/20/2024 14:45	Ažurira 2/2 01/20/2024 14:46
software_name	Novel-Plus	Novel-Plus	Novel-Plus
software_version	<=4.2.0	<=4.2.0	<=4.2.0
software_component	HTTP POST Request Handler	HTTP POST Request Handler	HTTP POST Request Handler
software_file	/user/updateUserInfo	/user/updateUserInfo	/user/updateUserInfo
software_argument	nickName	nickName	nickName
vulnerability_cwe	CWE-79 (Skriptovanje preko sajta)	CWE-79 (Skriptovanje preko sajta)	CWE-79 (Skriptovanje preko sajta)
vulnerability_risk	1	1	1
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_pr	L	L	L
cvss3_vuldb_ui	R	R	R
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	N	N	N
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	N	N	N
cvss3_vuldb_e	P	P	P
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
advisory_url	https://github.com/JTZ-a/SRC/blob/master/novel-plus/storedXSS/en-us.md	https://github.com/JTZ-a/SRC/blob/master/novel-plus/storedXSS/en-us.md	https://github.com/JTZ-a/SRC/blob/master/novel-plus/storedXSS/en-us.md
exploit_availability	1	1	1
exploit_publicity	1	1	1
exploit_url	https://github.com/JTZ-a/SRC/blob/master/novel-plus/storedXSS/en-us.md	https://github.com/JTZ-a/SRC/blob/master/novel-plus/storedXSS/en-us.md	https://github.com/JTZ-a/SRC/blob/master/novel-plus/storedXSS/en-us.md
countermeasure_name	Zakrpa	Zakrpa	Zakrpa
patch_name	c62da9bb3a9b3603014d0edb436146512631100d	c62da9bb3a9b3603014d0edb436146512631100d	c62da9bb3a9b3603014d0edb436146512631100d
countermeasure_patch_url	https://github.com/201206030/novel-plus/commit/c62da9bb3a9b3603014d0edb436146512631100d	https://github.com/201206030/novel-plus/commit/c62da9bb3a9b3603014d0edb436146512631100d	https://github.com/201206030/novel-plus/commit/c62da9bb3a9b3603014d0edb436146512631100d
source_cve	CVE-2023-7166	CVE-2023-7166	CVE-2023-7166
cna_responsible	VulDB	VulDB	VulDB
advisory_date	1703718000 (12/28/2023)	1703718000 (12/28/2023)	1703718000 (12/28/2023)
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_ci	N	N	N
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	N	N	N
cvss2_vuldb_e	POC	POC	POC
cvss2_vuldb_rc	C	C	C
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_au	S	S	S
cvss2_vuldb_basescore	4.0	4.0	4.0
cvss2_vuldb_tempscore	3.1	3.1	3.1
cvss3_vuldb_basescore	3.5	3.5	3.5
cvss3_vuldb_tempscore	3.2	3.2	3.2
cvss3_meta_basescore	3.5	3.5	4.1
cvss3_meta_tempscore	3.2	3.2	4.0
price_0day	$0-$5k	$0-$5k	$0-$5k
advisory_identifier		c62da9bb3a9b3603014d0edb436146512631100d	c62da9bb3a9b3603014d0edb436146512631100d
cve_assigned		1703718000 (12/28/2023)	1703718000 (12/28/2023)
cve_nvd_summary		A vulnerability classified as problematic has been found in Novel-Plus up to 4.2.0. This affects an unknown part of the file /user/updateUserInfo of the component HTTP POST Request Handler. The manipulation of the argument nickName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is c62da9bb3a9b3603014d0edb436146512631100d. It is recommended to apply a patch to fix this issue. The identifier VDB-249201 was assigned to this vulnerability.	A vulnerability classified as problematic has been found in Novel-Plus up to 4.2.0. This affects an unknown part of the file /user/updateUserInfo of the component HTTP POST Request Handler. The manipulation of the argument nickName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is c62da9bb3a9b3603014d0edb436146512631100d. It is recommended to apply a patch to fix this issue. The identifier VDB-249201 was assigned to this vulnerability.
cvss3_nvd_av			N
cvss3_nvd_ac			L
cvss3_nvd_pr			L
cvss3_nvd_ui			R
cvss3_nvd_s			C
cvss3_nvd_c			L
cvss3_nvd_i			L
cvss3_nvd_a			N
cvss2_nvd_av			N
cvss2_nvd_ac			L
cvss2_nvd_au			S
cvss2_nvd_ci			N
cvss2_nvd_ii			P
cvss2_nvd_ai			N
cvss3_cna_av			N
cvss3_cna_ac			L
cvss3_cna_pr			L
cvss3_cna_ui			R
cvss3_cna_s			U
cvss3_cna_c			N
cvss3_cna_i			L
cvss3_cna_a			N
cve_cna			VulDB
cvss2_nvd_basescore			4.0
cvss3_nvd_basescore			5.4
cvss3_cna_basescore			3.5

◂ Prethodne Pregled Sledeжi ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!