CVE-2023-36313 in Document Creatorinfo

Summary

by MITRE • 08/10/2023

PHPJabbers Document Creator v1.0 is vulnerable to Cross Site Scripting (XSS) via all post parameters of "Export Requests" aside from "request_feed".

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/13/2026

The vulnerability identified as CVE-2023-36313 affects PHPJabbers Document Creator version 1.0 and represents a critical cross site scripting flaw that undermines the security posture of web applications utilizing this component. This vulnerability manifests specifically within the "Export Requests" functionality where multiple post parameters fail to properly sanitize user input, creating an attack surface that malicious actors can exploit to inject arbitrary JavaScript code into the application's response. The flaw is particularly concerning as it affects all post parameters except for "request_feed" which appears to be properly handled or excluded from the vulnerable code path.

The technical implementation of this vulnerability stems from inadequate input validation and output encoding practices within the document creator's export functionality. When users submit requests through the export interface, the application processes various parameters without sufficient sanitization of potentially malicious content. This failure to properly escape or filter user-supplied data allows attackers to inject script tags, event handlers, or other malicious payloads that execute in the context of other users' browsers who view the exported documents or interact with the affected application. The vulnerability aligns with CWE-79 which specifically addresses cross site scripting weaknesses in web applications.

The operational impact of this vulnerability extends beyond simple data theft or session hijacking as it provides attackers with the capability to perform a wide range of malicious activities within the victim's browser context. An attacker could potentially redirect users to phishing sites, steal session cookies, modify content displayed to users, or even escalate privileges within the application if the user has administrative capabilities. The attack vector is particularly dangerous because it requires minimal user interaction beyond visiting a page or clicking a link that triggers the vulnerable export functionality, making it susceptible to social engineering campaigns. This vulnerability directly maps to ATT&CK technique T1566 which describes the use of phishing and spearphishing attacks to deliver malicious payloads.

Mitigation strategies for this vulnerability should prioritize immediate input validation and output encoding measures across all parameters within the export functionality. Developers must implement proper sanitization of all user-supplied input data before processing or storing it within the application's database or generating responses. The recommended approach includes implementing strict whitelisting of acceptable input characters, employing context-specific output encoding for all dynamic content, and utilizing secure coding practices that prevent the execution of untrusted code. Additionally, organizations should consider implementing web application firewalls to detect and block suspicious payloads, while also conducting comprehensive security testing including automated scanning and manual penetration testing to identify similar vulnerabilities within the application's codebase. Regular security updates and patch management processes should be established to ensure that such vulnerabilities are addressed promptly when they are discovered in the application's dependencies or components.

Reservation

06/21/2023

Disclosure

08/10/2023

Moderation

accepted

CPE

ready

EPSS

0.00388

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!