CVE-2023-53901
Cross-Site Scripting in WBCE CMS 1.6.1 Enables Keylogging
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wbce | cms | 1.6.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows attackers to capture user keystrokes including passwords through CSS-based keylogging, it could potentially lead to unauthorized access and data breaches, which may result in non-compliance with data protection regulations that require safeguarding personal and sensitive information. [1, 2]
Can you explain this vulnerability to me?
WBCE CMS version 1.6.1 has a vulnerability that allows attackers to perform a CSS-based keylogging attack by combining an Open Redirect flaw and a Cross-Site Request Forgery (CSRF) vulnerability. An attacker can upload a crafted HTML file containing malicious CSS that assigns background images to password input characters. When a victim types their password, each character triggers a request to the attacker's server, effectively capturing keystrokes. The attacker uses the Open Redirect and CSRF vulnerabilities to redirect the victim to this malicious HTML page after login without their consent, enabling stealthy password interception. [1]
How can this vulnerability impact me? :
This vulnerability can lead to the theft of user credentials by capturing password keystrokes as users enter them. Attackers can remotely log sensitive information such as passwords without the victim's knowledge, potentially leading to unauthorized access to user accounts and further compromise of the affected system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unusual HTTP POST requests to the login page (/wbce/admin/login/index.php) with suspicious 'url' parameters that redirect to unknown or attacker-controlled domains. Additionally, network traffic analysis can look for repeated background image requests to external servers triggered by CSS keylogging. Commands to help detect this include using tools like curl or wget to inspect login page parameters, and network monitoring tools like tcpdump or Wireshark to capture suspicious outbound requests. For example, using tcpdump: tcpdump -i any -n host attacker-server-domain and grep or log analysis to find POST requests with 'url' parameters redirecting to external URLs. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting the Media upload feature to prevent uploading malicious HTML files, applying strict input validation and sanitization on the 'url' parameter in the login page to prevent Open Redirect attacks, and implementing CSRF protections such as tokens to block unauthorized POST requests. Additionally, updating or patching the WBCE CMS to a version that addresses these vulnerabilities (if available) is recommended. Monitoring and blocking suspicious external requests from the CMS server can also help reduce risk. [1]