| タイトル | PHPGurukul COVID19 Testing Management System 2021 version Stored Cross-Site Scripting (XSS) |
|---|
| 説明 | A Stored Cross-Site Scripting (XSS) vulnerability has been discovered in PHPGurukul COVID19 Testing Management System version 1.0. This vulnerability is present in the "Take Action" feature, specifically within the "remark" field on the /test-details.php page. An attacker can inject malicious script into this field, which is then permanently stored in the application's database and executed whenever a user views the affected test details, leading to an XSS alert.
Reproduction Steps:
Navigate to a test detail page, for example: http://localhost/covid-tms/test-details.php?tid=5&&oid=716060226
Locate the "Take Action" feature.
In the "remark" field, input an XSS payload (e.g., <script>alert('XSS');</script>).
Submit the form.
Upon subsequent viewing of this specific test detail page, the injected script will execute, triggering the alert() pop-up.
Impact:
Stored XSS vulnerabilities can lead to various severe consequences, including:
Session Hijacking: Stealing user session cookies, allowing an attacker to impersonate the victim.
Defacement: Modifying the content of the affected web page.
Redirection: Redirecting users to malicious websites.
Malware Distribution: Injecting code to download and execute malware on a user's machine.
Data Theft: Exfiltrating sensitive user data displayed on the page. |
|---|
| ソース | ⚠️ http://localhost/covid-tms/test-details.php?tid=5&&oid=716060226 |
|---|
| ユーザー | Anzil (UID 86393) |
|---|
| 送信 | 2025年06月10日 12:07 (10 月 ago) |
|---|
| モデレーション | 2025年06月19日 09:24 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 313291 [PHPGurukul COVID19 Testing Management System 1.0 Take Action /test-details.php remark クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|