Newcomer1989 TSN-Ranksystem bot.php getlog cross site scripting
Description
A vulnerability has been found in Newcomer1989 TSN-Ranksystem up to 1.2.6 and classified as problematic. This vulnerability affects the function getlog of the file webinterface/bot.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.2.7 is able to address this issue. The patch is identified as b3a3cd8efe2cd3bd3c5b3b7abf2fe80dbee51b77. It is recommended to upgrade the affected component. VDB-218002 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.2.6+ 1 more
- (no CPE)range: <=1.2.6
- (no CPE)range: 1.2.0
Patches
Vulnerability mechanics
Root cause
"The function getlog in webinterface/bot.php does not properly sanitize user input, allowing for cross-site scripting."
Attack vector
An attacker can exploit this vulnerability by sending a crafted POST request to the web interface. The payload is injected into the 'logfilter[0]' parameter, which is then reflected in the response without proper sanitization. This allows for the execution of arbitrary JavaScript in the victim's browser [ref_id=1]. The attack can be initiated remotely.
Affected code
The vulnerability resides in the getlog function within the file webinterface/bot.php. Specifically, the issue occurs when processing the POST parameter 'logfilter[0]' which is assigned to the $filter2 variable [ref_id=2].
What the fix does
The patch addresses the vulnerability by applying the `htmlspecialchars` function to the user-supplied input from the 'logfilter[0]' POST parameter before it is assigned to the $filter2 variable [ref_id=2]. This function converts special characters into their HTML entity equivalents, preventing them from being interpreted as executable code. By sanitizing the input, the reflected cross-site scripting is mitigated.
Preconditions
- inputThe attacker must provide a malicious payload within the 'logfilter[0]' POST parameter.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Newcomer1989/TSN-Ranksystem/commit/b3a3cd8efe2cd3bd3c5b3b7abf2fe80dbee51b77mitrepatch
- github.com/Newcomer1989/TSN-Ranksystem/releases/tag/1.2.7mitrepatch
- github.com/Newcomer1989/TSN-Ranksystem/pull/467mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.