| عنوان | code-projects Home Service System In PHP 1.0 Cross Site Scripting |
|---|
| الوصف | A stored cross-site scripting (XSS) vulnerability exists in the booking.php component of code-projects Home Service System In PHP 1.0. The fname and lname parameters are not properly sanitized before being stored and later rendered in the admin panel.
This allows a remote unauthenticated attacker to inject malicious JavaScript which executes in the administrator's browser context. Successful exploitation leads to session cookie theft and complete administrative account takeover.
Proof of concept and exploitation details have been publicly disclosed. |
|---|
| المصدر | ⚠️ https://github.com/Xmyronn/home-service-system-unauth-stored-xss-admin-takeover-code-project.org-.git |
|---|
| المستخدم | imad alvi (UID 97088) |
|---|
| ارسال | 08/04/2026 07:16 PM (20 أيام منذ) |
|---|
| الاعتدال | 26/04/2026 10:22 AM (18 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 359664 [code-projects Home Service System 1.0 Appointment Booking /booking.php fname/lname البرمجة عبر المواقع] |
|---|
| النقاط | 20 |
|---|