CVE-2023-4870 in Contact Manager App
Summary
by MITRE • 09/10/2023
A vulnerability classified as problematic has been found in SourceCodester Contact Manager App 1.0. This affects an unknown part of the file index.php of the component Contact Information Handler. The manipulation of the argument contactID with the input ">alert(1) leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-239355.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/25/2025
This cross site scripting vulnerability exists in the SourceCodester Contact Manager App version 1.0 within the contact information handler component. The flaw manifests in the index.php file where the contactID parameter fails to properly sanitize user input before processing. When an attacker supplies malicious input containing ">alert(1) the application does not adequately validate or escape the data, allowing the script to execute within the victim's browser context. This represents a classic reflected cross site scripting vulnerability where the malicious payload is embedded in the request and executed by the target browser. The vulnerability is categorized under CWE-79 as it involves improper neutralization of input during web page generation, specifically in the contact information handler module. The attack vector is remote, meaning an attacker can exploit this vulnerability without requiring physical access to the target system, making it particularly dangerous in web applications where users might be tricked into clicking malicious links or visiting compromised pages.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with the capability to steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious websites. The reflected nature of the vulnerability means that the malicious script is executed immediately when a user accesses a specially crafted URL containing the payload, making it highly effective for phishing campaigns or social engineering attacks. The vulnerability affects the core contact information handling functionality of the application, potentially compromising sensitive personal data stored in the contact manager. This weakness can be leveraged in conjunction with other attack techniques to establish persistent access or escalate privileges within the application environment, representing a significant security risk for organizations relying on this contact management solution.
The exploitation of this vulnerability requires minimal technical expertise and can be automated through various attack frameworks, making it particularly dangerous for widespread deployment. Security practitioners should consider this vulnerability in the context of the ATT&CK framework under T1566 for social engineering techniques and T1059 for command and script injection. The fact that this exploit has been publicly disclosed and is available for use significantly increases the risk profile, as it eliminates the need for advanced exploitation techniques. Organizations should implement comprehensive input validation and output encoding mechanisms to prevent similar vulnerabilities from occurring in their web applications. The vulnerability highlights the critical importance of proper input sanitization and the implementation of Content Security Policies to mitigate the impact of cross site scripting attacks. Immediate remediation efforts should focus on updating the application to a patched version or implementing proper input validation measures to prevent the contactID parameter from being processed without adequate security controls in place.