提出 #600559: SourceCodester Student Result Management System 1.0 Stored Cross Site Scripting情報

タイトルSourceCodester Student Result Management System 1.0 Stored Cross Site Scripting
説明A Stored Cross-Site Scripting (XSS) vulnerability exists in SRMS 1.0 via the School Name field on the system settings page. The application does not properly sanitize input before rendering it in the frontend. Once the malicious script is stored, it is injected into the root /srms/script/ page and automatically executed every time the page loads — even for unauthenticated users. This significantly increases the impact, as any visitor to the affected endpoint will trigger the payload, potentially enabling session hijacking, redirection, or other malicious activities without user interaction or authentication. 1 - Log in to the SRMS 1.0 application using an administrator account. 2 - Navigate to /srms/script/admin/system. 3 - In the School Name input field, insert the following payload: <script>alert('PoC VulDB SRMS')</script> Save the changes. 4 - Visit the root path /srms/script/. The injected JavaScript payload will automatically execute. 5 - Since this endpoint is accessible without authentication, the XSS is triggered for any user accessing the page, increasing the potential attack surface and confirming the presence of a high-impact Stored XSS vulnerability.
ソース⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README9.md
ユーザー
 RaulPACXXX (UID 84502)
送信2025年06月19日 11:22 (1 年 ago)
モデレーション2025年06月21日 07:42 (2 days later)
ステータス承諾済み
VulDBエントリ313585 [SourceCodester Student Result Management System 1.0 System Settings Page /script/admin/system School Name クロスサイトスクリプティング]
ポイント20

Do you know our Splunk app?

Download it now for free!