CVE-2023-3847
Published: 23 July 2023
Summary
CVE-2023-3847 is a low-severity Cross-site Scripting (CWE-79) vulnerability in Moosocial Moodating. Its CVSS base score is 3.5 (Low).
Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A cross-site scripting vulnerability exists in mooSocial mooDating version 1.2 within the URL handler component handling the /users path. The issue, tracked as CVE-2023-3847 and assigned CWE-79, arises from improper input sanitization that permits script injection through manipulated parameters. It received a CVSS 3.1 score of 3.5, reflecting network attack vector, low complexity, and required user interaction.
An authenticated attacker with low privileges can supply a crafted URL that, when visited by another user, executes arbitrary JavaScript in the victim's browser context. The attack is fully remote and results in limited integrity impact without affecting confidentiality or availability. No special conditions beyond a logged-in session and victim interaction are required.
Public references on VulDB and Packet Storm document the flaw and include proof-of-concept material, but the vendor could not be reached via its published contact address and no official patch or mitigation guidance has been issued. The associated EPSS score reached a modest peak of 0.1132 before receding to its current value of 0.0992, indicating limited but observable post-disclosure interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-44475
Vulnerability details
A vulnerability classified as problematic was found in mooSocial mooDating 1.2. This vulnerability affects unknown code of the file /users of the component URL Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. VDB-235198 is…
more
the identifier assigned to this vulnerability. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.