Daily Expense Tracker System 1.0 Cross Site Scripting

2021.01.27

Credit: Priyanka Samak

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Daily Expense Tracker System Stored Cross-Site Scripting
Vulnerability
# Date: 2021-01-26
# Exploit Author: Priyanka Samak
# Vendor Homepage: https://phpgurukul.com/
# Software Link:
https://phpgurukul.com/daily-expense-tracker-using-php-and-mysql/
# Software: : Daily Expense Tracker System # Version : 1.0
# Vulnerability Type: Cross-site Scripting
# Vulnerability: Stored XSS
# Tested on Windows 10
# This application is vulnerable to Stored XSS vulnerability.
# Vulnerable script:
1) http://localhost/dets/user-profile.php
2)http://localhost/dets/add-expense.php
# Vulnerable parameters: ‘Full Name' and 'Item’
# Payload used: <script>alert(‘document.cookie’)</script>
# POC: When you view the details under the Manage Expense tab and User
Profile tab
# You will see your Javascript code executes.
Thanks and Regards, Priyanka Samak

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Daily Expense Tracker System 1.0 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.