CVE-2026-38940
Cross Site Scripting in TOKO-ONLINE-ROTI v1.0
Publication date: 2026-04-30
Last updated on: 2026-04-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rafymrx | toko-online-roti | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross Site Scripting (XSS) issue found in RafyMrX TOKO-ONLINE-ROTI version 1.0. It allows a remote attacker to execute arbitrary code by exploiting the detail_produk.php component.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary code remotely, which may lead to unauthorized actions such as stealing user data, hijacking user sessions, or injecting malicious scripts into the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Cross Site Scripting (XSS) vulnerability in RafyMrX TOKO-ONLINE-ROTI v1.0 allows attackers to execute arbitrary code, potentially leading to session hijacking and unauthorized actions. Such security weaknesses can result in unauthorized access to sensitive user data.
This exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Failure to mitigate this vulnerability may lead to violations of these regulations due to insufficient data protection and could result in legal and financial consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /TOKO-ONLINE-ROTI/detail_produk.php component for reflected Cross-Site Scripting (XSS) in the 'produk' parameter.
A common detection method is to inject a simple JavaScript payload, such as <script>alert(1)</script>, into the 'produk' parameter and observe if the script is reflected and executed in the response.
For example, you can use curl or a browser to send a request like:
- curl "http://[target]/TOKO-ONLINE-ROTI/detail_produk.php?produk=<script>alert(1)</script>"
If the alert script executes or the payload appears unencoded in the response, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing user input and applying context-aware output encoding on the 'produk' parameter in the /TOKO-ONLINE-ROTI/detail_produk.php component.
This prevents malicious scripts from being executed in the victim's browser by blocking script injection.
Additionally, reviewing and updating the application to properly handle and encode all user-supplied data before rendering it in the response is recommended.