CVE-2023-33751 in mipjz
Summary
by MITRE • 05/25/2023
A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at /app/tag/controller/ApiAdminTagCategory.php.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/06/2026
The stored cross-site scripting vulnerability identified as CVE-2023-33751 affects mipjz version 5.0.5 and represents a critical security flaw that enables attackers to persist malicious scripts within the application's database. This vulnerability specifically targets the name parameter within the ApiAdminTagCategory.php controller file, creating a persistent XSS attack vector that can compromise user sessions and execute unauthorized actions. The flaw allows adversaries to inject malicious code that remains stored within the application's data storage, making it particularly dangerous as it can affect multiple users over time.
The technical implementation of this vulnerability stems from insufficient input validation and output sanitization within the application's tag category management functionality. When users submit data through the name parameter, the application fails to properly sanitize or escape the input before storing it in the database. This weakness directly maps to CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental web application security issue that has been consistently identified as one of the top ten OWASP risks. The vulnerability exists because the application does not implement proper encoding or validation mechanisms to prevent malicious scripts from being stored and subsequently executed when other users view the affected content.
The operational impact of this stored XSS vulnerability extends beyond simple script execution, creating a comprehensive attack surface that can be leveraged for session hijacking, credential theft, and data exfiltration. Attackers can craft malicious payloads that exploit the vulnerability to steal cookies, redirect users to phishing sites, or inject malicious content that can harvest sensitive information from authenticated sessions. The persistent nature of the vulnerability means that once exploited, the malicious scripts will execute automatically for any user who views the affected tag categories, potentially affecting all users of the application. This makes the vulnerability particularly dangerous in multi-user environments where administrators and regular users may be exposed to the same malicious content.
Mitigation strategies for CVE-2023-33751 should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application's data handling processes. The most effective immediate solution involves sanitizing all user-supplied input, particularly the name parameter, using appropriate encoding techniques such as HTML entity encoding before storing data in the database. Additionally, implementing Content Security Policy (CSP) headers can provide an additional layer of protection against XSS attacks by restricting the sources from which scripts can be loaded. The application should also implement proper parameter validation to ensure that only expected data formats are accepted, and input length restrictions should be enforced to prevent overly long payloads that might bypass basic validation. Security measures should align with ATT&CK technique T1059.001 - Command and Scripting Interpreter: PowerShell, which emphasizes the importance of preventing malicious script execution in web applications. Organizations should also consider implementing web application firewalls and regular security scanning to detect and prevent exploitation attempts, while ensuring that all users are updated to the patched version of mipjz to eliminate this vulnerability from their systems.