CVE-2024-0423 is a Cross Site Scripting (XSS) vulnerability identified in version 1.0 of the CodeAstro Online Food Ordering System. The vulnerability resides in the dishes.php file, specifically in the handling of the 'res_id' parameter. An attacker can manipulate this parameter to inject malicious scripts that execute in the context of the victim's browser. This vulnerability is classified under CWE-79, which pertains to improper neutralization of input leading to XSS. The attack vector is remote, requiring the attacker to trick a user into interacting with a crafted URL or input that contains the malicious payload. The vulnerability requires low privileges (PR:L) and user interaction (UI:R) to be exploited, and it does not impact confidentiality or availability but can lead to integrity issues such as session hijacking or defacement. The CVSS v3.1 base score is 3.5, indicating a low severity level. No patches have been published yet, and there are no known exploits in the wild at this time. However, the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is an online food ordering platform, potentially exposing customers and restaurant operators to malicious script execution within their browsers.

For European organizations using the CodeAstro Online Food Ordering System version 1.0, this vulnerability could lead to targeted phishing attacks, session hijacking, or unauthorized actions performed on behalf of legitimate users. While the direct impact on system confidentiality and availability is minimal, the integrity of user sessions and data can be compromised. This could damage customer trust, lead to data leakage of user credentials or personal information, and potentially facilitate further attacks such as account takeover or fraud. Given the nature of online food ordering systems, which often handle payment information and personal data, even a low-severity XSS vulnerability can have reputational and financial consequences. Additionally, regulatory compliance under GDPR requires organizations to protect personal data, and exploitation of this vulnerability could lead to violations if personal data is compromised.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the 'res_id' parameter within dishes.php to neutralize any malicious scripts. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting the sources from which scripts can be loaded. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting this parameter can provide an additional layer of defense. Since no official patch is available, organizations should consider temporarily disabling or restricting access to the affected functionality if feasible. Regular security testing, including automated scanning for XSS vulnerabilities and manual code reviews, should be conducted. Educating users about the risks of clicking on suspicious links can also reduce the likelihood of successful exploitation. Monitoring web server logs for unusual request patterns targeting 'res_id' parameters may help in early detection of attempted attacks.