Submit #388905: GitHub Insurance Management System 1.0 Cross Site Scriptinginfo

TitleGitHub Insurance Management System 1.0 Cross Site Scripting
Description1. Description A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Life Insurance Management System within the addNominee.php endpoint. This vulnerability enables an attacker to inject malicious JavaScript code into the "Nominee" field associated with a client ID box. The injected script is stored in the database and executed when the affected page is viewed by users, including administrators. 2. Steps to Reproduce Navigate to the Add Nominee Page: Access the application at: http://localhost/life-insurance-management-system/lims/addNominee.php Inject Malicious Script: In the "Nominee-Client ID" field, input the following payload: <script>alert(document.domain)</script> Submit the Form: Submit the form with the injected payload. Trigger the XSS: Navigate to the Nominee section or any page within the application that displays the stored nominee data. Upon loading this page, the malicious script is executed, resulting in an alert box that displays the document's domain, confirming the XSS vulnerability. 3. Impact Confidentiality: Attackers can exploit this vulnerability to steal sensitive information, including session tokens, cookies, or other private data. Integrity: Attackers could manipulate the content displayed to users, potentially altering important information. Availability: Malicious scripts can be used to create denial of service (DoS) conditions through heavy or infinite loop scripts. 4. Proof of Concept Screenshot: (Include an attached screenshot showing the alert triggered by the payload) Payload: <script>alert(document.domain)</script> 5. Recommendations To address and mitigate the identified XSS vulnerability, consider implementing the following measures: Sanitize Input: Ensure that all user inputs are sanitized and validated before being stored in the database. Use libraries or frameworks that offer secure input handling. Escape Output: Properly escape and encode output when displaying user-generated content to prevent the execution of injected scripts. Content Security Policy (CSP): Implement a robust Content Security Policy to limit the sources from which scripts can be loaded and executed, reducing the risk of XSS attacks.
Source⚠️ http://localhost/life-insurance-management-system/lims/nominee.php
User
 fahadletsleep (ID 73320)
Submission08/10/2024 01:03 PM (2 months ago)
Moderation08/18/2024 10:24 AM (8 days later)
StatusAccepted
VulDB Entry275041
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!