| Titel | PHPGurukul Notice Board System 1.0 Stored Cross-Site Scripting (XSS) |
|---|
| Beschreibung | The Notice Board System by PHPGurukul suffers from a Stored Cross-Site Scripting (XSS) vulnerability. Input fields in the “Add Notice” feature (available in the admin panel) do not properly sanitize or encode HTML content submitted through the web form.
Malicious JavaScript code can be stored in the Notice Title and Notice Description. The payload is rendered as-is when viewing notices, allowing arbitrary JavaScript execution in the context of the admin or other users.
Technical Overview:
Affected Component:
Admin Panel → Add Notice (/admin/add-notice.php)
Displayed in: /admin/manage-notices.php and dashboard
Vulnerable Fields:
Notice Title
Notice Description
Payload Used (PoC):
<img src=x onerror=alert(0)>
Steps to Reproduce:
Login to the admin panel.
Go to “Add Notice”.
Enter the following:
Notice Title:
<img src=x onerror=alert(0)>
Notice Description:
<img src=x onerror=alert(0)>
Submit the form.
Navigate to “Manage Notices” or the Dashboard.
Observe: the JavaScript executes and pops up an alert.
Impact:
Risk Level: High
Exploitability: Easy
Attack Vector: Stored (persistent) via authenticated admin
Impact:
Arbitrary JavaScript execution
Admin session hijacking
Phishing attacks
Full account compromise (especially dangerous if admin panel auto-loads notices)
Remediation:
Fix Suggestions:
Sanitize input using:
htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
Sanitize and encode all user-supplied content before rendering in HTML.
Use server-side or library-based HTML filtering like HTMLPurifier.
Optional:
Set a strong Content Security Policy (CSP) header
Enable output encoding libraries/framework-based XSS protection
Validate input length and character content before storing
|
|---|
| Quelle | ⚠️ http://localhost/nbs/manage-notices.php |
|---|
| Benutzer | Anzil (UID 86393) |
|---|
| Einreichung | 11.06.2025 13:41 (vor 10 Monaten) |
|---|
| Moderieren | 19.06.2025 09:56 (8 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 313301 [PHPGurukul Notice Board System 1.0 Add Notice manage-notices.php Title/Description Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|