Lucene search

[email protected]NVD:CVE-2023-43456

HistorySep 25, 2023 - 3:15 p.m.

CVE-2023-43456

2023-09-2515:15:10

CWE-79

[email protected]

web.nvd.nist.gov

cross site scripting

service provider management system

remote attacker

arbitrary code

sensitive information

user endpoint

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

48.9%

JSON

Cross Site Scripting vulnerability in Service Provider Management System v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the firstname, middlename and lastname parameters in the /php-spms/admin/?page=user endpoint.

Affected configurations

Nvd

Node

oretnom23service_provider_management_systemMatch1.0

VendorProductVersionCPE
oretnom23service_provider_management_system1.0cpe:2.3:a:oretnom23:service_provider_management_system:1.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
oretnom23	service_provider_management_system	1.0	cpe:2.3:a:oretnom23:service_provider_management_system:1.0:::::::*

References

samh4cks.github.io/posts/cve-2023-43456/

www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html

www.sourcecodester.com/users/tips23