CVE-2023-24086 in SLIMS
Summary
by MITRE • 02/13/2023
SLIMS v9.5.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /customs/loan_by_class.php?reportView.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/17/2025
The vulnerability identified as CVE-2023-24086 affects SLIMS version 9.5.2 and represents a critical reflected cross-site scripting flaw within the web application's loan_by_class.php component. This vulnerability exists in the parameterized URL structure where user input is not properly sanitized or validated before being reflected back to the browser. The specific endpoint /customs/loan_by_class.php?reportView demonstrates a classic XSS vector where malicious payloads can be injected through the reportView parameter, allowing attackers to execute arbitrary JavaScript code within the context of a victim's browser session.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding practices within the SLIMS application framework. When the application processes the reportView parameter without proper sanitization, it fails to neutralize potentially malicious script content that could be embedded within the parameter value. This creates an environment where an attacker can craft a malicious URL containing script code that gets executed when a victim clicks the link or when the page is loaded in their browser. The reflected nature of this vulnerability means that the malicious script is reflected off the web server rather than being stored on the server, making it particularly challenging to detect and prevent through traditional security measures.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with the capability to perform session hijacking, steal sensitive user credentials, redirect victims to malicious websites, or even execute more sophisticated attacks such as keylogging or data exfiltration. The vulnerability affects the confidentiality, integrity, and availability of the SLIMS system by potentially allowing unauthorized access to library management data, user authentication information, and sensitive institutional records. Attackers could leverage this vulnerability to gain persistent access to the system, escalate privileges, or use it as a foothold for broader network infiltration activities.
Security practitioners should immediately implement comprehensive input validation and output encoding measures to address this vulnerability. The recommended mitigations include implementing strict parameter validation for all user-supplied input, applying proper HTML entity encoding to all dynamic content before rendering, and implementing Content Security Policy headers to restrict script execution. Organizations should also consider deploying web application firewalls to detect and block malicious payloads targeting this specific vulnerability. The vulnerability aligns with CWE-79 which describes improper neutralization of input during web page generation, and maps to ATT&CK technique T1566.001 for initial access through spearphishing attachments or links. Regular security assessments and input validation testing should be implemented to prevent similar vulnerabilities in other components of the SLIMS application.