CVE-2026-2224
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts via the 'firstname' parameter in the Online Reviewer System 1.0, enabling cross-site scripting attacks. Remote attackers can exploit this to steal session cookies, redirect users, or perform actions on their behalf. Organizations using code-projects Online Reviewer System 1.0 are affected.
💻 Affected Systems
- code-projects Online Reviewer System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system access, compromise user data, and maintain persistent access to the system.
Likely Case
Attackers steal user session cookies, perform unauthorized actions as authenticated users, and potentially access sensitive reviewer data.
If Mitigated
Script execution is blocked by browser security features or input validation, limiting impact to minor UI disruption.
🎯 Exploit Status
Exploit details are publicly available on GitHub and vuldb, making this easily exploitable by attackers with basic web security knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://code-projects.org/
Restart Required: No
Instructions:
1. Check code-projects.org for security updates. 2. If no patch exists, implement input validation and output encoding. 3. Replace vulnerable file with sanitized version.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allAdd server-side validation to sanitize the firstname parameter and encode output to prevent script execution.
Edit /system/system/admins/manage/users/btn_functions.php to implement htmlspecialchars() or similar encoding for firstname parameter output
Web Application Firewall (WAF) Rules
allConfigure WAF to block XSS payloads in the firstname parameter.
Add WAF rule to detect and block patterns like <script>, javascript:, and other XSS indicators in firstname parameter
🧯 If You Can't Patch
- Restrict access to the vulnerable admin interface using network segmentation or IP whitelisting
- Implement Content Security Policy (CSP) headers to restrict script execution sources
🔍 How to Verify
Check if Vulnerable:
Test by submitting a payload like <script>alert('XSS')</script> in the firstname parameter of the affected admin interface and check if script executes.Check Version:
Check system documentation or configuration files for version information; no standard command available.Verify Fix Applied:
After implementing fixes, test with the same XSS payload to confirm script does not execute and input is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual firstname parameter values containing script tags or JavaScript code in web server logs
Network Indicators:
- HTTP requests to btn_functions.php with suspicious firstname parameter values
SIEM Query:
source="web_logs" AND uri="*btn_functions.php*" AND (firstname="*<script>*" OR firstname="*javascript:*")