CVE-2023-36158: Cross Site Scripting (XSS) vulnerability in sourcecodester Toll Tax Management System 1.0 allows remote att...
Cross Site Scripting (XSS) vulnerability in sourcecodester Toll Tax Management System 1.0 allows remote attackers to run arbitrary code via the First Name and Last Name fields on the My Account page.
Security readout for executives and security teams
Plain-English summary
CVE-2023-36158 is an XSS issue reported in SourceCodester Toll Tax Management System 1.0. User profile name fields can accept content that runs as code when rendered. For organizations using this app, the business risk is account or session abuse, but public sources do not provide a CVSS score or patch confirmation.
Executive priority
Prioritize if this application is deployed on an internal or public-facing service. The issue is not KEV-listed and lacks CVSS data, but XSS in an administrative or account system can still create business risk if users trust the application.
Technical view
The issue is described as XSS through the First Name and Last Name fields on the My Account page. Sources identify Toll Tax Management System 1.0, but structured affected-product metadata is incomplete. The available bundle does not confirm authentication requirements, vulnerable code paths beyond those fields, fixed versions, or vendor remediation.
Likely exposure
Exposure is likely limited to deployments of SourceCodester Toll Tax Management System 1.0, especially where users can edit profile details. Internet exposure increases concern. The CVE record’s affected-product fields are incomplete, so inventory validation should rely on application name and version evidence.
Exploitation context
The source bundle does not show CISA KEV listing or confirmed active exploitation. Public references include vulnerability writeups, but the provided data does not establish exploitation in the wild. Treat public knowledge as increasing validation urgency without assuming active attacks.
Researcher notes
Evidence is thin: no CVSS, no CWE mapping, incomplete affected metadata, and no confirmed fixed release in the bundle. The My Account location suggests profile-field validation and rendering are the key review targets, but authentication and persistence should be independently verified.
Mitigation direction
Identify any Toll Tax Management System 1.0 deployments.
Check SourceCodester or maintainer guidance for updates or patches.
Restrict access to the application if no fix is available.
Review profile input handling and output encoding for name fields.
Monitor application logs for suspicious profile-field changes.
Validation and detection
Confirm the application name and version in asset inventory.
Review the My Account First Name and Last Name handling.
Test safely in a non-production environment for XSS rendering.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Execution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.