Submit #79844: Reflected Cross-Site Scripting (XSS) Vulnerability in the Name Parameter of Canteen Management System 1.0 by SourceCodesterinfo

Title	Reflected Cross-Site Scripting (XSS) Vulnerability in the Name Parameter of Canteen Management System 1.0 by SourceCodester
Description	# Description A Reflected Cross-Site scripting (XSS) vulnerability has been discovered in the Canteen Management System 1.0 by SourceCodeSter. The vulnerability affects the 'Add Customer' form in the 'createcustomer.php' source code and allows an attacker to inject malicious code into the 'name' parameter. The injected code is then reflected back to the user's browser and executed, allowing an attacker to steal sensitive information, perform actions on behalf of the user, or redirect the user to a malicious site. This vulnerability can be remotely exploited and has the potential for code execution. It's important to note that this vulnerability is only exploitable if the user clicks on a link or submits a form containing the malicious code. # VULNERABILITY-TYPE : REFLECTED-CROSS-SITE SCRIPTING (XSS) # VENDOR OF THE PRODUCT : SOURCECODESTER # AFFECTED PRODUCT : Canteen Management System # VERSION: 1.0 # ATTACK TYPE : REMOTE # IMPACT: CODE EXECUTION # AFFECTED COMPONENTS: SOURCE-CODE(createcustomer.php) # ATTACK VECTOR: Add Customer Form (name parameter) # Tested-On : Windows 11 + XAMPP # STEPS_TO_REPRODUCE 1. LOGIN INTO THE APPLICATION BY GIVING THE ABOVE CREDENTIAL 2. THEN NAVIGATE TO `CUSTOMER TAB` ON THE `LEFT PANEL` AND SELECT `Add Customer` you will be redirected to this URL: [http://localhost/youthappam/add_customer.php](http://localhost/youthappam/add_customer.php) 3. Fill up the `Add Customer Form` by adding default/random value except the `name` parameter, In the `name` parameter put the below Payload 4. Payload: `SRK_TEST"><script>alert(document.domain)</script>` 5. You will see that name parameter is not validating and sanitizing our input/payload this lead to pop-up our XSS payload # REFERENCE https://cwe.mitre.org/data/definitions/79.html # VIDEO-POC GITHUB-LINK : https://github.com/ctflearner/Vulnerability/blob/main/Canteen%20Management%20System/Canteen_Management_System_XSS_IN_Add_Customer.md
Source	⚠️ https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html
User	Affan (ID 39417)
Submission	29.01.2023 09:32 (1 Year ago)
Moderation	29.01.2023 18:30 (9 hours later)
Status	Akzeptiert
VulDB Entry	219730

◂ Zurück Übersicht Weiter ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!