| عنوان | SourceCodester Online Banking System July 14, 2021 - 17:13 Cross Site Scripting |
|---|
| الوصف | A Stored Cross-Site Scripting (XSS) vulnerability exists in the User Profile Update functionality of the application. The application fails to properly sanitize user‑supplied input in the First Name field before storing it in the database and rendering it across multiple pages.
An attacker can inject arbitrary JavaScript code into the First Name field, which will be executed every time any user (including administrators) views a page where that profile information is displayed. This allows attackers to perform actions such as session hijacking, credential theft, DOM manipulation, and full takeover of any account that loads the malicious profile data.
Proof of Concept Link:
https://mega.nz/file/T4hjCagS#87U1JgRHZWzXW2HTpBIG-H9dJ_w9kUERmaaQqJyB5_Q
Root Cause:
Improper neutralization and output encoding of user-controlled data (CWE‑79).
Impact:
Persistent JavaScript execution
Account takeover via session theft
Malware or phishing injection
Credential harvesting
Administrative compromise (if admin views the malicious profile)
Attack Vector:
Remote attacker with a low-privilege account can exploit the issue by modifying their profile details.
Sincerely,
Fatma Trabelsi |
|---|
| المصدر | ⚠️ https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html |
|---|
| المستخدم | fatmatrabelsi (UID 92973) |
|---|
| ارسال | 26/11/2025 02:41 AM (5 أشهر منذ) |
|---|
| الاعتدال | 07/12/2025 04:30 PM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 334663 [SourceCodester Online Banking System 1.0 /?page=user First Name/Last Name البرمجة عبر المواقع] |
|---|
| النقاط | 20 |
|---|