CVE-2023-30106

Vulnerability

The Sourcecodester Medicine Tracker System in PHP version 1.0.0 contains a reflected Cross-Site Scripting (XSS) vulnerability in the page parameter. When the page parameter is set to about, the value is not properly sanitized before being output in the response, allowing an attacker to inject malicious scripts. The affected component is the page parameter handling, likely in a PHP file that includes about.php based on the parameter value. This issue affects version 1.0.0 of the Medicine Tracker System [1].

Exploitation

An attacker can exploit this vulnerability by crafting a URL with a malicious payload in the page parameter, such as ?page=about. The attacker does not require authentication or any special privileges. The victim must click on the crafted URL, which can be delivered via email, social media, or other means. No user interaction beyond clicking the link is needed, and the attack can be performed remotely over the network [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement of the application, theft of sensitive information, or redirection to malicious websites. The impact is limited to the browser of the victim and does not affect server-side components directly, but can be used to perform actions on behalf of the victim [1].

Mitigation

As of the publication date (2023-04-25), no official patch has been released by the vendor (Sourcecodester). The vendor's website [2] provides the source code, but no update addressing this XSS vulnerability is available. Users should implement input validation and output encoding for the page parameter as a workaround. Additionally, consider using a web application firewall (WAF) to block malicious payloads. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1].