| Titre | code-projects Home Service System In PHP 1.0 Cross Site Scripting |
|---|
| Description | A stored cross-site scripting (XSS) vulnerability exists in the booking.php component of code-projects Home Service System In PHP 1.0. The fname and lname parameters are not properly sanitized before being stored and later rendered in the admin panel.
This allows a remote unauthenticated attacker to inject malicious JavaScript which executes in the administrator's browser context. Successful exploitation leads to session cookie theft and complete administrative account takeover.
Proof of concept and exploitation details have been publicly disclosed. |
|---|
| La source | ⚠️ https://github.com/Xmyronn/home-service-system-unauth-stored-xss-admin-takeover-code-project.org-.git |
|---|
| Utilisateur | imad alvi (UID 97088) |
|---|
| Soumission | 08/04/2026 19:16 (il y a 19 jours) |
|---|
| Modérer | 26/04/2026 10:22 (18 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 359664 [code-projects Home Service System 1.0 Appointment Booking /booking.php fname/lname cross site scripting] |
|---|
| Points | 20 |
|---|