admin-dashboard-in-php has Cross Site Scripting vulnerability in vendor_management.php
supplier
https://code-projects.org/online-exam-mastering-system-php/
describe
In vendor_management.php.There are unrestricted cross site scripting attacks and injection attacks in the admin-dashboard-in-php. The controllable parameters are as follows: nome parameter. This function will execute the user parameter without restriction into the echo statement. Malicious attackers can exploit this vulnerability to obtain sensitive information from clients
Code analysis
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Querying and storing data from the database directly and echo out it without filter, resulting in the execution of XSS statements.
payload
Just type <script>alert(1)</script> in username
result
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →