제출 #600559: SourceCodester Student Result Management System 1.0 Stored Cross Site Scripting정보

제목SourceCodester Student Result Management System 1.0 Stored Cross Site Scripting
설명A Stored Cross-Site Scripting (XSS) vulnerability exists in SRMS 1.0 via the School Name field on the system settings page. The application does not properly sanitize input before rendering it in the frontend. Once the malicious script is stored, it is injected into the root /srms/script/ page and automatically executed every time the page loads — even for unauthenticated users. This significantly increases the impact, as any visitor to the affected endpoint will trigger the payload, potentially enabling session hijacking, redirection, or other malicious activities without user interaction or authentication. 1 - Log in to the SRMS 1.0 application using an administrator account. 2 - Navigate to /srms/script/admin/system. 3 - In the School Name input field, insert the following payload: <script>alert('PoC VulDB SRMS')</script> Save the changes. 4 - Visit the root path /srms/script/. The injected JavaScript payload will automatically execute. 5 - Since this endpoint is accessible without authentication, the XSS is triggered for any user accessing the page, increasing the potential attack surface and confirming the presence of a high-impact Stored XSS vulnerability.
원천⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README9.md
사용자
 RaulPACXXX (UID 84502)
제출2025. 06. 19. AM 11:22 (1 년도 ago)
모더레이션2025. 06. 21. AM 07:42 (2 days later)
상태수락
VulDB 항목313585 [SourceCodester Student Result Management System 1.0 System Settings Page /script/admin/system School Name 크로스 사이트 스크립팅]
포인트들20

Do you need the next level of professionalism?

Upgrade your account now!