| Title | SourceCodester PHP CRUD using PDO Connection with Free Source Code 1.0 Cross Site Scripting |
|---|
| Description | I would like to report a XSS injection vulnerability I discovered in the sourcecodester of the PHP CRUD using PDO Connection with Free Source Code during my testing.
Details:
Affected URL/Endpoint: /basic-crud/endpoint/add.php, /basic-crud/endpoint/update.php
Vulnerable Parameter: first_name, middle_name, last_name
Risk Level: High (allows malicious users to execute arbitrary SQL queries)
Steps to reproduce:
1) Click on Add or update button.
2) Use a proxy like burpsuite to intercept the "add" or "update request.
3) Input the payload to invoke the XSS injection.
---
table=tbl_customer&tbl_person_id=&first_name=%3Ch2%3Etest%3C%2Fh2%3E&middle_name=%3Ch2%3Etest%3C%2Fh2%3E&last_name=%3Ch2%3Etest%3C%2Fh2%3E
---
Please let me know if you need further information or a more detailed analysis. |
|---|
| User | Delvy (UID 74555) |
|---|
| Submission | 09/06/2024 12:58 PM (10 months ago) |
|---|
| Moderation | 09/06/2024 11:36 PM (11 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 276783 [SourceCodester PHP CRUD 1.0 /endpoint/update.php first_name/middle_name/last_name cross site scripting] |
|---|
| Points | 17 |
|---|