ARS Reg Secure - Reflected cross-site scripting (XSS)

Description

ARS Reg Secure 1. was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/includes/core.php.

Vulnerability

Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in ARS Reg Secure 1.. The following is the output of the tool:

Skims output

 13 | function show_custom_field() {
 14 |
 15 | ?>
 16 |
 17 | <p>
 18 |
 19 | <label><?php echo get_option('ars_question'); ?></label><br />
 20 |
> 21 | <input id=""ars-custom-field"" class=""input"" type=""text"" name=""ars-custom-field"" value=""<?php echo $_POST['ars-custom-fiel
 22 |
 23 | </p>
  24 |
  25 | <?php
  26 |
  27 | }
     ^ Col 0

Our security policy

We have reserved the ID CVE-2025-31317 to refer to this issue from now on. Disclosure policy

System Information

• Product: ARS Reg Secure

• Version: 1.

Mitigation

There is currently no patch available for this vulnerability.