CVE-2023-53938
Stored XSS in RockMongo 1.1.7 via Unencoded Input Parameters
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iwind | rockmongo | 1.1.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-53938 is a stored cross-site scripting (XSS) vulnerability in RockMongo version 1.1.7. It occurs because the application does not properly encode or neutralize user inputs in multiple parameters such as database, collection, and login. Attackers can submit crafted malicious scripts through these parameters, which get stored and later executed in the victim's browser when they access the affected pages. This allows arbitrary JavaScript execution within the context of the web application. [1, 3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript in the browsers of users who access the vulnerable RockMongo application. Potential impacts include session hijacking, defacement of the web interface, theft of sensitive information, and performing unauthorized actions on behalf of the victim. Since the malicious scripts are stored, the attack can persist and affect multiple users over time. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted HTTP POST and GET requests to the RockMongo application endpoints and observing if malicious scripts are executed or stored. Example commands include using curl to send payloads to vulnerable parameters: 1) POST to /mongo/index.php?action=db.newCollection&db=local with a malicious payload in the 'name' parameter. 2) GET requests with script tags embedded in 'db', 'collection', and 'action' parameters. 3) POST to /mongo/index.php?action=login.index&host=0 with malicious 'username' values. 4) POST requests to /mongo/index.php?action=server.command& and /mongo/index.php?action=server.execute& with injected script payloads in the 'db' parameter. Monitoring for alert pop-ups or unexpected script execution in the browser indicates the presence of the vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Avoid using RockMongo version 1.1.7 or upgrade to a version where this vulnerability is fixed if available. 2) Restrict access to the RockMongo interface to trusted users only, preferably within a secure network or VPN. 3) Implement input validation and output encoding on all user-supplied parameters such as 'database', 'collection', and 'login' to prevent script injection. 4) Change default credentials to strong, unique passwords to reduce risk of unauthorized access. 5) Monitor and block suspicious HTTP requests targeting vulnerable parameters. 6) Consider disabling or removing RockMongo if it is not essential. [1, 2, 3]