| Название | PHPGurukul Bus Pass Management System None Stored Cross-Site Scripting (XSS) |
|---|
| Описание | A Stored Cross-Site Scripting (XSS) vulnerability has been identified in PHPGurukul Bus Pass Management System version 1.0. This vulnerability resides on the administrative profile page, specifically at /buspassms/admin/admin-profile.php. An attacker with administrative privileges can inject malicious script into an input field (e.g., name, contact details, or other editable profile fields) on this page. The injected script is then permanently stored in the application's database and executed every time the /admin/admin-profile.php page is accessed by any user, including other administrators.
Steps to reproduce :
step 1: go to the site
step 2: then move on profile page
step3 : edit the profile name , and xss payload on there .
step 4: after payload triggered the alert will get on that site in everywhere when i click .
Impact:
Stored XSS vulnerabilities pose a significant risk, potentially leading to:
Administrative Account Takeover: If an attacker can inject scripts that steal session cookies of other administrators.
Website Defacement: Altering the appearance or content of the administrator profile page or other parts of the application.
Malware Distribution: Redirecting users to malicious websites or forcing drive-by downloads.
Privilege Escalation: Performing unauthorized actions on behalf of a victimized administrator.
Data Exfiltration: Stealing sensitive information displayed on the affected page . |
|---|
| Источник | ⚠️ http://localhost/buspassms/buspassms/admin/admin-profile.php |
|---|
| Пользователь | Anzil (UID 86393) |
|---|
| Представление | 10.06.2025 13:45 (11 месяцы назад) |
|---|
| Модерация | 19.06.2025 09:26 (9 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 313292 [PHPGurukul Bus Pass Management System 1.0 Profile Page /admin/admin-profile.php profile name межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|