| Título | code-projects The Social Networking Site in PHP 1.0 Cross Site Scripting |
|---|
| Descrição | The Social Networking Site in PHP version 1.0 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the post content functionality.
The issue occurs because the application fails to properly sanitize or encode user-controlled input before storing it in the database and rendering it in the HTML response.
The vulnerable code renders the post content directly:
<div class="alert"><?php echo $row['content']; ?></div>
The content parameter is stored in the post database table and later displayed in the social feed without output encoding. Because the value is inserted directly into the HTML page, malicious HTML or JavaScript code may be interpreted and executed by the browser.
An attacker can exploit this vulnerability by submitting a specially crafted payload when creating a post. The injected payload becomes persistent in the database and is executed whenever the affected page is viewed by other users.
Example payload used during testing:
<details/open/ontoggle=prompt(origin)>
Successful exploitation allows attackers to execute arbitrary JavaScript within the context of the application, which may lead to session hijacking, cookie theft, or performing actions on behalf of authenticated users. |
|---|
| Fonte | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20PHP%20Social%20Networking%20Site.md |
|---|
| Utilizador | AhmadMarzook (UID 96211) |
|---|
| Submissão | 11/03/2026 18h06 (há 21 dias) |
|---|
| Moderação | 27/03/2026 09h51 (16 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 353856 [code-projects Social Networking Site 1.0 Alert /home.php content Script de Site Cruzado] |
|---|
| Pontos | 20 |
|---|