CVE-2023-33761 in simpleRedakinfo

Summary

by MITRE • 06/02/2023

eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /view/cb/format_642.php.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/06/2026

The vulnerability identified as CVE-2023-33761 represents a critical reflected cross-site scripting flaw within the eMedia Consulting simpleRedak content management system version 2.47.23.05 and earlier. This vulnerability specifically affects the /view/cb/format_642.php component, which serves as a critical entry point for malicious exploitation. The reflected XSS vulnerability occurs when user-supplied input is improperly validated and directly embedded into web responses without adequate sanitization or encoding mechanisms. This flaw allows attackers to inject malicious scripts that execute in the context of victims' browsers, potentially compromising user sessions and enabling unauthorized access to sensitive data.

The technical implementation of this vulnerability stems from insufficient input validation within the format_642.php component, which fails to properly sanitize parameters passed through HTTP requests. When a malicious user crafts a specially crafted URL containing malicious script payloads and tricks a victim into accessing this URL, the web application reflects the script back to the victim's browser where it executes automatically. This behavior aligns with CWE-79, which defines cross-site scripting vulnerabilities as weaknesses that allow attackers to inject client-side scripts into web pages viewed by other users. The vulnerability operates at the application layer and requires no special privileges to exploit, making it particularly dangerous in environments where users frequently interact with web applications.

The operational impact of this vulnerability extends beyond simple script execution, as it can lead to session hijacking, credential theft, and potential full system compromise. Attackers can leverage this vulnerability to steal session cookies, redirect users to malicious domains, or inject additional malicious content that persists across user interactions. The reflected nature of the vulnerability means that the attack payload must be delivered through crafted URLs, typically via social engineering campaigns or phishing attacks. This vulnerability falls under ATT&CK technique T1566, specifically targeting the initial access phase through spearphishing with a link, and can contribute to broader attack chains leading to privilege escalation and data exfiltration.

Organizations utilizing simpleRedak version 2.47.23.05 or earlier should implement immediate mitigations including input validation, output encoding, and the implementation of Content Security Policies to prevent unauthorized script execution. The most effective long-term solution involves updating to the latest version of simpleRedak where this vulnerability has been patched. Additional protective measures include implementing web application firewalls, conducting regular security assessments, and establishing user awareness training programs to recognize and avoid malicious links. The vulnerability demonstrates the critical importance of input sanitization and proper output encoding practices in web application development, particularly when handling user-provided data in dynamic web components.

Reservation

05/22/2023

Disclosure

06/02/2023

Moderation

accepted

CPE

ready

EPSS

0.00473

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!