CVE-2023-3184 in Sales Tracker Management Systeminfo

Summary

by MITRE • 06/09/2023

A vulnerability was found in SourceCodester Sales Tracker Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save. The manipulation of the argument firstname/middlename/lastname/username leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-231164.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/25/2025

The vulnerability identified as CVE-2023-3184 affects the SourceCodester Sales Tracker Management System version 1.0, representing a significant security flaw that exposes the application to cross-site scripting attacks. This issue manifests within the /classes/Users.php file when processing the f=save endpoint, where user-supplied input parameters including firstname, middlename, lastname, and username are not properly sanitized or validated. The vulnerability falls under the CWE-79 category of Cross-Site Scripting, which is classified as a critical weakness in web applications that allows attackers to inject malicious scripts into web pages viewed by other users. The attack vector is remotely exploitable, meaning malicious actors can trigger the vulnerability without requiring physical access to the target system.

The technical implementation of this flaw demonstrates poor input validation practices within the application's user management functionality. When users submit data through the registration or profile update forms, the system fails to properly escape or encode special characters in the firstname, middlename, lastname, and username fields before storing or displaying this information. This creates an opportunity for attackers to inject malicious JavaScript code that executes in the context of other users' browsers. The vulnerability's exploitation is straightforward since the attack requires only sending crafted input through the affected API endpoint, making it particularly dangerous in environments where multiple users interact with the system. The public disclosure of this vulnerability through identifier VDB-231164 indicates that malicious actors have already developed and potentially deployed exploit code.

The operational impact of this vulnerability extends beyond simple data theft or defacement, as it enables attackers to establish persistent access to user sessions and potentially escalate privileges within the application. Users who view compromised profile information or interact with maliciously crafted usernames may unknowingly execute scripts that steal session cookies, redirect traffic to malicious sites, or perform actions on behalf of authenticated users. The attack surface is particularly concerning given that this vulnerability affects core user management functionality, potentially allowing attackers to compromise the entire user base of the sales tracking system. This weakness could enable unauthorized access to sensitive sales data, customer information, and business operations that the system is designed to protect.

Organizations should implement immediate mitigations including input validation and output encoding for all user-supplied data, specifically within the affected PHP file and related user management components. The recommended approach involves implementing proper HTML entity encoding for all dynamic content before rendering it in web pages, combined with strict input validation that rejects or sanitizes potentially malicious characters. Additionally, the application should implement Content Security Policy headers to prevent unauthorized script execution, and developers should conduct thorough code reviews to identify similar vulnerabilities in other input handling functions. The vulnerability aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments, though the specific exploitation pathway here involves web-based injection rather than email-based attacks. Organizations should also consider implementing web application firewalls to detect and block malicious input patterns targeting this specific vulnerability.

Responsible

VulDB

Reservation

06/09/2023

Disclosure

06/09/2023

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.02264

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!