CVE-2023-24733
published 2023-03-06CVE-2023-24733: PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950_new.php.
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.17%
63.4th percentile
PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950_new.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sigb | pmb | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/pmb/admin/convert/export_z3950_new.php?command=search&query=%3Cscript%3Ealert(document.domain);%3C/script%3E=or
yara
body contains '3@1=alert(document.domain)@'
- →Probe for reflected XSS by sending a GET request to /pmb/admin/convert/export_z3950_new.php with parameters command=search and a script-injected query value; a vulnerable response will contain the string '3@1=alert(document.domain)@' in the HTML body with Content-Type: text/html and HTTP 200.
- →Use Shodan query 'http.favicon.hash:1469328760' or 'http.html:"pmb group"' to identify exposed PMB instances for targeted scanning.
- →Use FOFA query 'body="pmb group"' or 'icon_hash=1469328760' to enumerate internet-facing PMB installations.
- →The vulnerability is unauthenticated (PR:N) and requires only user interaction (UI:R), making it suitable for phishing-based exploitation to steal cookie-based authentication credentials.
- ·The vulnerable path may be prefixed with /pmb/ depending on the installation base path; both /admin/convert/export_z3950_new.php and /pmb/admin/convert/export_z3950_new.php should be tested.
- ·Vulnerability is confirmed only against PMB version 7.4.6; other versions are not explicitly stated as affected.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6jpg-mqw3-px4p: PMB v7
ghsa_unreviewed·2023-03-06
CVE-2023-24733 [MEDIUM] CWE-79 GHSA-6jpg-mqw3-px4p: PMB v7
PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950_new.php.
VulnCheck
sigb pmb Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2023·CVSS 6.1
CVE-2023-24733 [MEDIUM] sigb pmb Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
sigb pmb Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950_new.php.
Affected: sigb pmb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://viz.greynoise.io/tags/pmb-reflected-cross-site-scripting-cve-2023-24733-xss-check
No detection rules found.
Nuclei
PMB 7.4.6 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-24733 [MEDIUM] PMB 7.4.6 - Cross-Site Scripting
PMB 7.4.6 - Cross-Site Scripting
PMB 7.4.6 contains a cross-site scripting vulnerability via the query parameter at /admin/convert/export_z3950_new.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Template:
id: CVE-2023-24733
info:
name: PMB 7.4.6 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
PMB 7.4.6 contains a cross-site scripting vulnerability via the query parameter at /admin/convert/export_z3950_new.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication c
2023-03-06
Published
Exploited in the wild