Soumettre #600559: SourceCodester Student Result Management System 1.0 Stored Cross Site Scriptinginformation

TitreSourceCodester Student Result Management System 1.0 Stored Cross Site Scripting
DescriptionA Stored Cross-Site Scripting (XSS) vulnerability exists in SRMS 1.0 via the School Name field on the system settings page. The application does not properly sanitize input before rendering it in the frontend. Once the malicious script is stored, it is injected into the root /srms/script/ page and automatically executed every time the page loads — even for unauthenticated users. This significantly increases the impact, as any visitor to the affected endpoint will trigger the payload, potentially enabling session hijacking, redirection, or other malicious activities without user interaction or authentication. 1 - Log in to the SRMS 1.0 application using an administrator account. 2 - Navigate to /srms/script/admin/system. 3 - In the School Name input field, insert the following payload: <script>alert('PoC VulDB SRMS')</script> Save the changes. 4 - Visit the root path /srms/script/. The injected JavaScript payload will automatically execute. 5 - Since this endpoint is accessible without authentication, the XSS is triggered for any user accessing the page, increasing the potential attack surface and confirming the presence of a high-impact Stored XSS vulnerability.
La source⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README9.md
Utilisateur
 RaulPACXXX (UID 84502)
Soumission19/06/2025 11:22 (il y a 1 Année)
Modérer21/06/2025 07:42 (2 days later)
StatutAccepté
Entrée VulDB313585 [SourceCodester Student Result Management System 1.0 System Settings Page /script/admin/system School Name cross site scripting]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!