CVE-2026-3983
Cross-Site Scripting in Campcodes Game Result Matrix System
Publication date: 2026-03-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | division_regional_athletic_meet_game_result_matrix_system | 2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3983 is a stored Cross-Site Scripting (XSS) vulnerability found in version 2.1 of the Campcodes Division Regional Athletic Meet Game Result Matrix System, specifically in the save-games.php file.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application does not properly sanitize or validate user input in the "game_name" parameter. This allows an attacker to inject malicious scripts that are stored on the server.'}, {'type': 'paragraph', 'content': 'When other users access the affected data, the malicious scripts execute in their browsers, potentially compromising their security and privacy.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized execution of malicious scripts in the browsers of users interacting with the affected system.
Such script execution can compromise user security and privacy by potentially stealing sensitive information, hijacking user sessions, or performing actions on behalf of the user without their consent.
Since the attack can be performed remotely and requires some user interaction, it poses a risk to anyone using the vulnerable application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying instances of the vulnerable file save-games.php being accessed with the game_name parameter containing suspicious or malicious script payloads.'}, {'type': 'paragraph', 'content': 'One method to detect vulnerable targets is to use Google dorking with the query: inurl:save-games.php to find exposed instances of the affected system.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system, you can monitor web server logs for requests to save-games.php that include suspicious JavaScript code or typical XSS payloads in the game_name parameter.'}, {'type': 'paragraph', 'content': 'Example command to search web server logs for potential XSS attempts (assuming Apache logs):'}, {'type': 'list_item', 'content': "grep -i 'save-games.php' /var/log/apache2/access.log | grep -i 'game_name=.*<script'"}, {'type': 'list_item', 'content': "grep -i 'save-games.php' /var/log/apache2/access.log | grep -E 'game_name=.*(\\<|%3C).*script'"}, {'type': 'paragraph', 'content': 'Additionally, you can use web vulnerability scanners that support detection of stored XSS vulnerabilities by targeting the save-games.php endpoint and testing the game_name parameter for script injection.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
There are no known countermeasures or mitigations documented for this vulnerability.
The suggested immediate step is to replace the affected product with an alternative that does not contain this vulnerability.
As a temporary measure, you may consider implementing web application firewall (WAF) rules to block requests containing suspicious script payloads in the game_name parameter to reduce the risk of exploitation.
Additionally, monitoring and filtering input to the save-games.php file to prevent script injection can help mitigate the risk until a secure version or alternative is deployed.