CVE-2023-0527
Published: 27 January 2023
Summary
CVE-2023-0527 is a low-severity Cross-site Scripting (CWE-79) vulnerability in Online Security Guards Hiring System Project Online Security Guards Hiring System. Its CVSS base score is 3.5 (Low).
Operationally, ranked in the top 7.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability classified as problematic was identified in PHPGurukul Online Security Guards Hiring System version 1.0. The issue resides in an unspecified function within the search-request.php file, where unsanitized input to the searchdata parameter enables reflected cross-site scripting. An attacker can supply a payload such as "><script>alert(document.domain)</script> to trigger script execution in a victim's browser. The flaw received a CVSS 3.1 score of 3.5 and is tracked under CWE-79.
The attack can be launched remotely by any authenticated user who can reach the search functionality. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of another user's session, potentially resulting in limited impact such as cookie theft or page manipulation. Public proof-of-concept code demonstrating the vector has been released.
The associated EPSS score remains flat at 0.0897 with no material increase after disclosure. No vendor advisory or patch information is referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12572
Vulnerability details
A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. The manipulation of the argument searchdata with the input "><script>alert(document.domain)</script> leads to…
more
cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-219596.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.