Stored Cross-site Scripting (Stored XSS) in Sourcecodester Free and Open Source inventory management system 1.0 (/app/action/add_staff.php
and /pages/staff_list.php
)
CVE-2024-9323
Description and Impact:
- This vulnerability was found in Free and Open Source inventory management system project with version 1.0 in Sourecodester (https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html)
- The vulnerability was found in Staff function, when adding new staff, I can inject some malicious javascript code in
Name
, Designation
, Address
parameter.
- Application does not properly sanitize or validate the input, after adding new staff, if we access to
staff_list.php
function, it will trigger the malicious javascript code I just added before, lead to stored XSS
Step to reproduce:
- First, access to the dashboard of the website
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
- Then click of Staff and choose Add Staff section
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
- At the
Name
, Designation
, Address
parameter, inject a malicious javascript code. For my example, I will use <script>alert(1337)</script>
for Name
parameter, <script>alert(1338)</script>
for Designation
parameter, and <script>alert(1339)</script>
for Address
parameter and then click Add member
to save new staff.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
- Finally, click on
Staff list
right below the Add staff
to trigger stored XSS vulnerability
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ