cbcvebase.
CVE-2023-24733
published 2023-03-06

CVE-2023-24733: PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950_new.php.

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.17%
63.4th percentile
PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950_new.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
sigbpmb

Detection & IOCsextracted from sources · hover to see the quote

path/admin/convert/export_z3950_new.php
url{{BaseURL}}/pmb/admin/convert/export_z3950_new.php?command=search&query=%3Cscript%3Ealert(document.domain);%3C/script%3E=or
yara
body contains '3@1=alert(document.domain)@'
  • Probe for reflected XSS by sending a GET request to /pmb/admin/convert/export_z3950_new.php with parameters command=search and a script-injected query value; a vulnerable response will contain the string '3@1=alert(document.domain)@' in the HTML body with Content-Type: text/html and HTTP 200.
  • Use Shodan query 'http.favicon.hash:1469328760' or 'http.html:"pmb group"' to identify exposed PMB instances for targeted scanning.
  • Use FOFA query 'body="pmb group"' or 'icon_hash=1469328760' to enumerate internet-facing PMB installations.
  • The vulnerability is unauthenticated (PR:N) and requires only user interaction (UI:R), making it suitable for phishing-based exploitation to steal cookie-based authentication credentials.
  • ·The vulnerable path may be prefixed with /pmb/ depending on the installation base path; both /admin/convert/export_z3950_new.php and /pmb/admin/convert/export_z3950_new.php should be tested.
  • ·Vulnerability is confirmed only against PMB version 7.4.6; other versions are not explicitly stated as affected.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.