Submit #306964: PHPGurukul Emergency Ambulance Hiring Portal 1.0 Cross Site Scriptinginfo

TitlePHPGurukul Emergency Ambulance Hiring Portal 1.0 Cross Site Scripting
DescriptionBug Description: A stored cross-site scripting (XSS) vulnerability in PHPGurukul Emergency Ambulance Hiring Portal 1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected in the "Add Ambulance" functionality. Steps to Reproduce: # Exploit Title: Stored XSS in "Add Ambulance" functionality of Emergency Ambulance Hiring Portal # Date: 28-03-2024 # Exploit Author: dhabaleshwardas # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/ # Version: 1.0 # Tested on: firefox/chrome/brave # CVE: To reproduce the attack: 1- First, login to the application then, head to the http://localhost/eahp/admin/add-ambulance.php endpoint . 2- Here you would be asked to fill all the fields. We simply put XSS payloads in "Ambulance Reg No." and "Driver Name" fields and clicked "Add". 3- We can see that the payloads are directly embedded into the HTML content without proper sanitization or encoding, and hence, pop-ups are shown.
Source⚠️ https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/eahp_authsxss.md
User
 dhabaleshwar (UID 58737)
Submission03/29/2024 12:06 PM (8 months ago)
Moderation03/29/2024 03:27 PM (3 hours later)
StatusAccepted
VulDB Entry258683 [PHPGurukul Emergency Ambulance Hiring Portal 1.0 Add Ambulance Page /admin/add-ambulance.php Ambulance Reg No/Driver Name cross site scripting]
Points20

Might our Artificial Intelligence support you?

Check our Alexa App!