# admin-dashboard-in-php has Cross Site Scripting vulnerability in vendor_management.php ## supplier https://code-projects.org/online-exam-mastering-system-php/ ## describe In vendor_management.php.There are unrestricted cross site scripting attacks and injection attacks in the admin-dashboard-in-php. The controllable parameters are as follows: nome parameter. This function will execute the user parameter without restriction into the echo statement. Malicious attackers can exploit this vulnerability to obtain sensitive information from clients ## Code analysis ![image](https://hackmd.io/_uploads/HyyXD0WE1e.png) ![image](https://hackmd.io/_uploads/SyZFPCb4Jx.png) Querying and storing data from the database directly and echo out it without filter, resulting in the execution of XSS statements. ## payload Just type <script>alert(1)</script> in username ## result ![image](https://hackmd.io/_uploads/r17ZxZQr1l.png)