| Title | Sourcecodester Online Courseware 1 Cross Site Scripting |
|---|
| Description | Summary:
Stored XSS occurs when an attacker injects malicious scripts into a web application, which are then stored on the server and executed in the browser of other users accessing the affected pages. In this scenario, the vulnerability exists in the "Online Courseware" application within the "Edit Teacher" functionality. The injected payload in the fname parameter is stored on the server and executed when the relevant page is accessed.
Steps to Reproduce:
1. Log in to the Online Courseware application with an admin account.
2. Navigate to the "Teacher" section and click on the "Edit" button for a teacher's profile.
3. Capture the HTTP request using Burp Suite and observe the /pcci/admin/saveeditt.php endpoint being triggered.
4. Modify the fname parameter in the request body to include the XSS payload, e.g., <script>alert(1)</script>.
5. Send the request. The payload will be stored on the server.
6. Visit the affected page or reload it in the browser to observe the execution of the payload, triggering a pop-up.
Risk:
Stored XSS vulnerabilities are particularly dangerous because the malicious payload is stored on the server and executed in the browser of any user who accesses the compromised content. This can lead to:
Theft of sensitive user data (e.g., cookies, session tokens).
Execution of unauthorized actions on behalf of other users.
Defacement of the application interface.
Redirection to malicious websites.
Impact:
Exploitation of this vulnerability can compromise the security of user accounts, including administrative accounts. Attackers may gain unauthorized access to sensitive information, hijack user sessions, or disrupt the functionality of the application. The organization's reputation and trustworthiness can also be severely affected. |
|---|
| Source | ⚠️ http://gullubadmosh.local/test/pcci/admin/saveeditt.php |
|---|
| User | Anonymous User |
|---|
| Submission | 01/18/2025 02:29 PM (5 months ago) |
|---|
| Moderation | 01/28/2025 03:44 PM (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 293922 [SourceCodester Online Courseware 1.0 Edit Teacher saveeditt.php fname cross site scripting] |
|---|
| Points | 20 |
|---|