| Título | janobe Engineers Online Portal 1.0 Web application vulnerability |
|---|
| Descripción | The open-source Engineers online portal project is vulnerable to Authenticated stored cross-site scripting.
Stored XSS (Cross-Site Scripting) is a type of XSS attack where the malicious script is injected and stored persistently on the target server.
1-Visit the site https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html.
2-Download and install the application on your system.
3-Log in to the admin panel using the path http://localhost/engineer/admin/(Default password for admin is admin:admin).
4-Once logged in, navigate to the "Engineers" option within the admin panel.
5-This option allows administrators to add engineers to the application.
6-Within this section, there are fields to select an office, add a first name, and add a last name.
7-Choose the office, input <script>alert(0)</script> in the first name field, and input <script>alert(1)</script> in the last name field.
8-Upon clicking the "+" button, you'll encounter an XSS (cross-site scripting) trigger.
9-After adding this input and submitting, a user will be created. Attempting to edit this user will also trigger the XSS.
10-Both the first name and last name fields are vulnerable to stored XSS attacks.
Another cve of this project : https://nvd.nist.gov/vuln/detail/CVE-2021-42664 |
|---|
| Fuente | ⚠️ https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html |
|---|
| Usuario | Farish (UID 60730) |
|---|
| Sumisión | 2023-12-28 11:26 (hace 2 años) |
|---|
| Moderación | 2023-12-28 15:46 (4 hours later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 249182 [SourceCodester Engineers Online Portal 1.0 Add Engineer first name/last name secuencias de comandos en sitios cruzados] |
|---|
| Puntos | 20 |
|---|