leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224747.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1795"]},"keywords":"CVE-2023-1795, Sourcecodester Gadget Works Online Ordering System","mentions":[{"@type":"SoftwareApplication","name":"Gadget Works Online Ordering System","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Sourcecodester"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2023-1795","item":"https://portal.vyprsec.ai/cves/CVE-2023-1795"}]}]}

Unrated severityNVD Advisory· Published Apr 2, 2023· Updated Aug 2, 2024

SourceCodester Gadget Works Online Ordering System GET Parameter index.php cross site scripting

CVE-2023-1795

Description

A vulnerability was found in SourceCodester Gadget Works Online Ordering System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/products/index.php of the component GET Parameter Handler. The manipulation of the argument view with the input leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224747.

Affected products

Sourcecodester/Gadget Works Online Ordering Systemcpe-rescue
Range: 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing output sanitization of the `view` GET parameter allows reflected cross-site scripting."

Attack vector

An attacker sends a crafted GET request to `/admin/products/index.php` with the `view` parameter containing a JavaScript payload, such as `

Affected code

The vulnerability is in the file `/admin/products/index.php` (also referenced as `/philosophy/admin/products/index.php` in the researcher's report [ref_id=1]). The GET parameter `view` is processed without sanitization, allowing arbitrary script injection.

What the fix does

No patch is provided in the available references. The advisory [ref_id=1] does not include a fix commit or vendor remediation. To close the vulnerability, the application must sanitize or encode the `view` GET parameter before rendering it in the page, preventing execution of injected HTML/JavaScript.

Preconditions

networkThe attacker must be able to send HTTP GET requests to the application.
authNo authentication bypass is required; the endpoint is accessible remotely.

Reproduction

1. Send a GET request to `/philosophy/admin/products/index.php?id=1&view=

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/FinleyTang/bug_report/blob/main/XSS-1.mdmitreexploit
vuldb.commitresignaturepermissions-required
vuldb.commitrevdb-entrytechnical-description

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000