Try   HackMD

admin-dashboard-in-php has Cross Site Scripting vulnerability in vendor_management.php

supplier

https://code-projects.org/online-exam-mastering-system-php/

describe

In vendor_management.php.There are unrestricted cross site scripting attacks and injection attacks in the admin-dashboard-in-php. The controllable parameters are as follows: nome parameter. This function will execute the user parameter without restriction into the echo statement. Malicious attackers can exploit this vulnerability to obtain sensitive information from clients

Code analysis

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Querying and storing data from the database directly and echo out it without filter, resulting in the execution of XSS statements.

payload

Just type <script>alert(1)</script> in username

result

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Last changed by 
 
salt9487
0
941
Published on HackMD