By combining AI with human insight, Armis Vulnerability Intelligence Database offers extended coverage for vulnerabilities that matter to you, your industry, and provides you with clear remediation instructions.
Loading CVE list…
CVE Name
Severity Score
Published Date
CISA KEV
Take These Insights to the Next Level
Armis now offers direct API access to Armis Vulnerability Intelligence Database through the AWS Marketplace, transforming it from a powerful research tool into an integrated component of your proactive security posture.
Seamless Integration: Directly feed Armis's contextual data into your existing stack.
Automated Workflows: Automate vulnerability lookups in real-time.
Custom Solutions: Use the raw data to build custom dashboards, reports, alerts.
See everything.Identify true risk.Proactively mitigate threats.Book a Demo
Let's talk!
CVE-2023-6301:
Loading CVE details…
CVE-2023-6301 | Medium Severity | Armis
) to inject and execute arbitrary JavaScript in the victim’s browser.\n","articleBody":"Reflected cross-site scripting vulnerability in SourceCodester Best Courier Management System 1.0 (parcel_list.php GET Parameter Handler) where the id parameter can be manipulated (e.g., ) to inject and execute arbitrary JavaScript in the victim’s browser.\n\n\nSourceCodester’s Best Courier Management System 1.0 contains a reflected cross-site scripting vulnerability in the parcel_list.php component that processes the id GET parameter. Due to insufficient input handling, crafted payloads can be echoed back in the web page, enabling an attacker to execute arbitrary scripts in a victim’s browser. The flaw is categorized as CWE-79 (XSS) and carries a low severity score, with public disclosure and available exploit references.\n","datePublished":"2023-11-27T00:15:07.000Z","dateModified":"2026-05-13T09:08:36.924Z","keywords":"Medium, 2023, CVE, vulnerability, cybersecurity, CVSS","url":"https://cve.armis.com/CVE-2023-6301","author":{"@type":"Organization","name":"Armis","url":"https://www.armis.com"},"publisher":{"@type":"Organization","name":"Armis","url":"https://www.armis.com"},"license":"https://creativecommons.org/licenses/by-nc-sa/4.0/","isBasedOn":{"@type":"WebPage","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6301","name":"NVD CVE-2023-6301"},"additionalProperty":[{"@type":"PropertyValue","name":"CVSS Score","value":"6.1"},{"@type":"PropertyValue","name":"Severity","value":"Medium"},{"@type":"PropertyValue","name":"EPSS Score","value":"0.17%"},{"@type":"PropertyValue","name":"EPSS Percentile","value":"38th"},{"@type":"PropertyValue","name":"Attack Vector","value":"NETWORK"},{"@type":"PropertyValue","name":"Attack Complexity","value":"LOW"},{"@type":"PropertyValue","name":"Privileges Required","value":"NONE"},{"@type":"PropertyValue","name":"User Interaction","value":"REQUIRED"},{"@type":"PropertyValue","name":"Scope","value":"CHANGED"},{"@type":"PropertyValue","name":"Confidentiality Impact","value":"LOW"},{"@type":"PropertyValue","name":"Integrity Impact","value":"LOW"},{"@type":"PropertyValue","name":"Availability Impact","value":"NONE"}]},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is CVE-2023-6301?","acceptedAnswer":{"@type":"Answer","text":"Reflected cross-site scripting vulnerability in SourceCodester Best Courier Management System 1.0 (parcel_list.php GET Parameter Handler) where the id parameter can be manipulated (e.g., ) to inject and execute arbitrary JavaScript in the victim’s browser.\n"}},{"@type":"Question","name":"How severe is CVE-2023-6301?","acceptedAnswer":{"@type":"Answer","text":"CVE-2023-6301 has a CVSS score of 6.1 (Medium severity). EPSS score: 0.17% (38th percentile), indicating the estimated probability of exploitation in the wild."}},{"@type":"Question","name":"How do I fix CVE-2023-6301?","acceptedAnswer":{"@type":"Answer","text":"- Upgrade to the latest available version from SourceCodester or apply the vendor’s patch addressing the XSS in parcel_list.php.\n- Implement proper input validation on the id parameter (server-side). Reject or sanitize any non-expected input before use.\n- Ensure all data derived from user input that is reflected in HTML output is properly encoded/escaped (prefer a templating engine with auto-escaping or explicit HTML entity encoding).\n- Use contextual encoding for all reflected values (HTML-escape for HTML contexts).\n- Implement a restrictive Content Security Policy (CSP) to mitigate script execution if an injection occurs.\n- Consider enabling a Web Application Firewall (WAF) rule to detect and block reflected XSS patterns in GET parameters.\n- After remediation, verify fixes with both automated scanners and manual testing, using XSS payloads (including the provided example) to confirm that no script is reflected or executed.\n- Audit other GET/POST parameters across the application for similar reflection flaws and remediate as needed.\n"}}]},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://cve.armis.com/"},{"@type":"ListItem","position":2,"name":"CVE-2023-6301","item":"https://cve.armis.com/CVE-2023-6301"}]}]
CVE-2023-6301:
Reflected cross-site scripting vulnerability in SourceCodester Best Courier Management System 1.0 (parcel_list.php GET Parameter Handler) where the id parameter can be manipulated (e.g., alert(1)) to inject and execute arbitrary JavaScript in the victim’s browser.
Score
A numerical rating that indicates how dangerous this vulnerability is.
6.1Medium
Published Date:Nov 27, 2023
CISA KEV Date:*No Data*
Industries Affected:20
Threat Predictions
EPSS Score:0.2
EPSS Percentile:38%
Exploitability
Score:2.8
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:
NONE
User Interaction:REQUIRED
Scope:CHANGED
Impact
Score:2.7
Confidentiality Impact:LOW
Integrity Impact:LOW
Availability Impact:NONE
Description Preview
Reflected cross-site scripting vulnerability in SourceCodester Best Courier Management System 1.0 (parcel_list.php GET Parameter Handler) where the id parameter can be manipulated (e.g., alert(1)) to inject and execute arbitrary JavaScript in the victim’s browser.
Overview
SourceCodester’s Best Courier Management System 1.0 contains a reflected cross-site scripting vulnerability in the parcel_list.php component that processes the id GET parameter. Due to insufficient input handling, crafted payloads can be echoed back in the web page, enabling an attacker to execute arbitrary scripts in a victim’s browser. The flaw is categorized as CWE-79 (XSS) and carries a low severity score, with public disclosure and available exploit references.
Remediation
Upgrade to the latest available version from SourceCodester or apply the vendor’s patch addressing the XSS in parcel_list.php.
Implement proper input validation on the id parameter (server-side). Reject or sanitize any non-expected input before use.
Ensure all data derived from user input that is reflected in HTML output is properly encoded/escaped (prefer a templating engine with auto-escaping or explicit HTML entity encoding).
Use contextual encoding for all reflected values (HTML-escape for HTML contexts).
Implement a restrictive Content Security Policy (CSP) to mitigate script execution if an injection occurs.
Consider enabling a Web Application Firewall (WAF) rule to detect and block reflected XSS patterns in GET parameters.
After remediation, verify fixes with both automated scanners and manual testing, using XSS payloads (including the provided example) to confirm that no script is reflected or executed.
Audit other GET/POST parameters across the application for similar reflection flaws and remediate as needed.
