CVE-2023-54343
Unknown Unknown - Not Provided
Persistent Cross-Site Scripting in QWE DL 2.0.1 Mobile App

Publication date: 2026-02-01

Last updated on: 2026-02-01

Assigner: VulnCheck

Description
QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. Attackers can exploit the vulnerability to execute persistent cross-site scripting attacks, potentially leading to session hijacking and application module manipulation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-01
Last Modified
2026-02-01
Generated
2026-06-16
AI Q&A
2026-02-01
EPSS Evaluated
2026-06-14
NVD
CVE-2023-54343
EUVD
EUVD-2023-60536
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qwe qwe_dl to 2.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-54343 is a persistent cross-site scripting (XSS) vulnerability in the QWE DL 2.0.1 mobile web application. It occurs due to improper input validation of the 'path' parameter, allowing remote attackers to inject malicious script code persistently by manipulating folder path names. This malicious code is stored and executed when users access affected pages, such as index or subfolder interfaces, enabling attackers to perform actions like session hijacking and manipulation of application modules. [1, 2]

Impact Analysis

This vulnerability can lead to session hijacking, allowing attackers to take over user sessions. It also enables persistent phishing attacks, external redirects to malicious sites, and manipulation of connected application modules. Overall, it compromises the security and integrity of the application and its users by executing malicious scripts within the app environment. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for crafted POST requests to the /create endpoint containing malicious script code in the 'path' parameter. A detection approach involves capturing and inspecting HTTP POST traffic to identify suspicious payloads attempting to inject scripts via the 'path' parameter. For example, using a network tool like curl or a proxy to send or detect such requests: curl -X POST -d 'path=<script>alert(1)</script>' https://target-app/create. Additionally, reviewing application logs for unusual folder creation requests with script tags in the path parameter can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include applying input validation and sanitization on the 'path' parameter to prevent script injection. If a patch or update is available from the vendor, apply it promptly. Until a fix is applied, restrict access to the /create endpoint to trusted users or networks, and monitor for suspicious POST requests. Additionally, educating users about the risk and disabling or limiting folder creation functionality may reduce exposure. [1, 2]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54343. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart