Submeter #600559: SourceCodester Student Result Management System 1.0 Stored Cross Site Scriptinginformação

TítuloSourceCodester Student Result Management System 1.0 Stored Cross Site Scripting
DescriçãoA Stored Cross-Site Scripting (XSS) vulnerability exists in SRMS 1.0 via the School Name field on the system settings page. The application does not properly sanitize input before rendering it in the frontend. Once the malicious script is stored, it is injected into the root /srms/script/ page and automatically executed every time the page loads — even for unauthenticated users. This significantly increases the impact, as any visitor to the affected endpoint will trigger the payload, potentially enabling session hijacking, redirection, or other malicious activities without user interaction or authentication. 1 - Log in to the SRMS 1.0 application using an administrator account. 2 - Navigate to /srms/script/admin/system. 3 - In the School Name input field, insert the following payload: <script>alert('PoC VulDB SRMS')</script> Save the changes. 4 - Visit the root path /srms/script/. The injected JavaScript payload will automatically execute. 5 - Since this endpoint is accessible without authentication, the XSS is triggered for any user accessing the page, increasing the potential attack surface and confirming the presence of a high-impact Stored XSS vulnerability.
Fonte⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README9.md
Utilizador
 RaulPACXXX (UID 84502)
Submissão19/06/2025 11h22 (há 1 Ano)
Moderação21/06/2025 07h42 (2 days later)
EstadoAceite
Entrada VulDB313585 [SourceCodester Student Result Management System 1.0 System Settings Page /script/admin/system School Name Script de Site Cruzado]
Pontos20

Want to know what is going to be exploited?

We predict KEV entries!