Submeter #838683: code-projects Project Management System 1.0 Cross Site Scriptinginformação

Títulocode-projects Project Management System 1.0 Cross Site Scripting
DescriçãoPMS contains a stored cross-site scripting (XSS) vulnerability in its mail and feedback workflow. User-controlled content is written to the backend database and later rendered in HTML without output encoding. As a result, a malicious payload can be stored through the mail compose form or the feedback submission path and will execute when another user opens the corresponding mail view or feedback page. The issue affects both the Faculty and Student mail modules, as well as the feedback display flow. The root cause is unsafe handling of untrusted input in both storage and presentation. In the mail modules, message content is inserted into the database and later echoed back into the page without escaping. In the feedback workflow, the submitted feedback value is stored in the project record and then rendered directly inside a <textarea> without encoding. During testing, the payload <img src=x onerror=alert(1)> was successfully stored and later executed in the browser, confirming the presence of a reproducible stored XSS condition.
Fonte⚠️ https://github.com/MyMySSS/CVE123/blob/main/cve4/PMS_CVE_Submission.md
Utilizador
 MyMy (UID 96642)
Submissão27/05/2026 11h56 (há 1 mês)
Moderação27/06/2026 20h29 (1 month later)
EstadoAceite
Entrada VulDB374499 [code-projects Project Management System 1.0 Mail Compose Page /mail.php Script de Site Cruzado]
Pontos20

Do you need the next level of professionalism?

Upgrade your account now!