| Titel | Simple Bakery Shop Management System - Stored XSS |
|---|
| Beschreibung | # Exploit Title: Simple Bakery Shop Management System - Stored XSS
# Exploit Author: Krishnakant Tiwari
# Vendor Name: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/15174/simple-bakery-shop-management-system-phpoop-free-source-code.html
# Software Link: https://www.sourcecodester.com/php/15174/simple-bakery-shop-management-system-phpoop-free-source-code.html
# Version: v1.0
# Tested on: Windows 11, Apache
Description:
A Stored XSS issue in Simple Bakery Shop Management System allows to inject Arbitrary JavaScript in "Full Name" Parameter when we are adding a new user in User List Page.
Parameter:
Add New = Full Name
Payload:
<script>prompt(document.domain)</script>
Steps:
1) Login as a Admin user
2) Now in that we can see an tab named "User List" in that go to "Add New"
3) The Parameter "Full Name" in this we put our payload.
4) As we can see when we just save the user our payload has been triggered. |
|---|
| Benutzer | krishna.t (UID 42731) |
|---|
| Einreichung | 12.03.2023 06:20 (vor 3 Jahren) |
|---|
| Moderieren | 12.03.2023 08:08 (2 hours later) |
|---|
| Status | Duplikat |
|---|
| VulDB Eintrag | 202613 [Simple Bakery Shop Management 1.0 ?page=manage_account Username/Full Name Cross Site Scripting] |
|---|
| Punkte | 0 |
|---|