| 제목 | XSS in Simple Cashiering System can lead to Session Takeover |
|---|
| 설명 | The Simple Cashiering System (https://www.sourcecodester.com/php/14945/simple-cashiering-system-pos-php-and-sqlite-source-code-free-download.html) distributed by sourcecodester.com is vulnerable to XSS in the fullname field of any user account.
A malicious actor can abuse this by getting access to the application, modifying the fullname of their compromised user account and whenever the admin either visits the user tab in the admin dashboard or has a look at any of the orders taken by that account via the Sales tab the XSS is executed and the cookie can be extracted due to a missing HttpOnly flag. |
|---|
| 사용자 | maikroservice (UID 35150) |
|---|
| 제출 | 2022. 11. 11. PM 01:15 (4 연령 ago) |
|---|
| 모더레이션 | 2022. 11. 11. PM 01:17 (2 minutes later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 213455 [Sourcecodester Simple Cashiering System User Account fullname 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 17 |
|---|