SIAKAD STEKOM - Stored XSS Vulnerability(Login Page)

2025.05.24
id 0x6ick (ID) id
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: site:siakad2 inurl:login

# Exploit Title: SIAKAD STEKOM - Stored XSS Vulnerability in Footer # Date: 2025-05-22 # Exploit Author: 6ickzone (6ickzone@proton.me) # Vendor Homepage: https://www.stekom.ac.id/ # Software Link: https://siakad2.stekom.ac.id/loginsiakad/login # Category: Webapps # CVE: N/A # CWE: CWE-79 ## Description: A stored XSS vulnerability was discovered on the login page of SIAKAD STEKOM (https://siakad2.stekom.ac.id/loginsiakad/login), specifically within the footer text input. Malicious JavaScript payloads can be injected and stored, which will be executed every time the page is loaded, potentially compromising cookies or session tokens. # Vulnerable Parameter: Username field on the login page (https://siakad2.stekom.ac.id/loginsiakad/login) # Payload: ## Payload (Proof of Concept): "><svg/onload=alert('XSS')> ## Impact: - Cookie/session hijacking - Redirection to malicious websites - Phishing attacks on users/admins ## Recommendation: - Apply output encoding on all dynamic content (footer section). - Sanitize inputs before storage. - Implement Content Security Policy (CSP). ## Tested On: - Chrome v123 - Firefox v120

References:

https://siakad2.stekom.ac.id/loginsiakad/login


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top