Online Examination System v1.0 - Multiple Open Redirects
6,1
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Online Examination System v1.0 - Multiple Open Redirects
Code name
State
Public
Release date
1 nov 2023
Affected product
Online Examination System
Vendor
Projectworlds Pvt. Limited
Affected version(s)
Version 1.0
Vulnerability name
Open Redirect
Vulnerability type
Remotely exploitable
Yes
CVSS v3.0 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v3.0 base score
6.1
Exploit available
Yes
CVE ID(s)
Description
Online Examination System v1.0 is vulnerable to multiple Open Redirect vulnerabilities.
Vulnerabilities
CVE-2023-45201
The 'q' parameter of the admin.php resource allows an attacker to redirect a victim user to an arbitrary web site using a crafted URL:
CVE-2023-45202
The 'q' parameter of the feed.php resource allows an attacker to redirect a victim user to an arbitrary web site using a crafted URL:
CVE-2023-45203
The 'q' parameter of the login.php resource allows an attacker to redirect a victim user to an arbitrary web site using a crafted URL:
Our security policy
We have reserved the IDs CVE-2023-45201, CVE-2023-45202 and CVE-2023-45203 to refer to these issues from now on.
System Information
Version: Online Examination System v1.0
Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://projectworlds.in/
Timeline
IA generativa
5 oct 2023
Vendor contacted
5 oct 2023
Public disclosure
1 nov 2023
