admin-dashboard-in-php has Cross Site Scripting vulnerability in vendor_management.php

supplier

https://code-projects.org/online-exam-mastering-system-php/

describe

In vendor_management.php.There are unrestricted cross site scripting attacks and injection attacks in the admin-dashboard-in-php. The controllable parameters are as follows: nome parameter. This function will execute the user parameter without restriction into the echo statement. Malicious attackers can exploit this vulnerability to obtain sensitive information from clients

Code analysis

image
image
Querying and storing data from the database directly and echo out it without filter, resulting in the execution of XSS statements.

payload

Just type <script>alert(1)</script> in username

result

image