Alumni Management System 1.0 Cross Site Scripting

2020.12.18
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: Stored XSS on Alumni Management System # Date: 23/10/2020 # Exploit Author: Valerio Alessandroni # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-s ource-code.html # Version: 1.0 # Tested on: ubuntu 18.04 # CVE : CVE-2020-28071 # Description: An attacker after the admin authentication, can upload an image in the gallery, using a XSS payload in the description textarea called "about" and reach a stored XSS. # Reproduction: - Login as "admin" - upload an image in the gallery area in the administration panel injecting Javascript code in the textarea called "about" - The obtained XSS affects the administration panel (ex: http://127.0.0.1/admin/index.php?page=gallery) and the public gallery (ex: http://127.0.0.1/index.php?page=gallery)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top