Alumni Management System 1.0 Cross Site Scripting

2020.12.18

Credit: Valerio Alessandroni

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2020-28071

CWE: CWE-79

CVSS Base Score: 3.5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 6.8/10

Exploit range: Remote

Attack complexity: Medium

Authentication: Single time

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

# Exploit Title: Stored XSS on Alumni Management System
# Date: 23/10/2020
# Exploit Author: Valerio Alessandroni
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-s ource-code.html
# Version: 1.0
# Tested on: ubuntu 18.04
# CVE : CVE-2020-28071
# Description:
An attacker after the admin authentication, can upload an image in the gallery, using a XSS payload in the description textarea called "about" and reach a stored XSS.
# Reproduction:
- Login as "admin"
- upload an image in the gallery area in the administration panel injecting Javascript code in the textarea called "about"
- The obtained XSS affects the administration panel (ex: http://127.0.0.1/admin/index.php?page=gallery) and
the public gallery (ex: http://127.0.0.1/index.php?page=gallery)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Alumni Management System 1.0 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.