| Название | code-projects Home Service System In PHP 1.0 Cross Site Scripting |
|---|
| Описание | A stored cross-site scripting (XSS) vulnerability exists in the booking.php component of code-projects Home Service System In PHP 1.0. The fname and lname parameters are not properly sanitized before being stored and later rendered in the admin panel.
This allows a remote unauthenticated attacker to inject malicious JavaScript which executes in the administrator's browser context. Successful exploitation leads to session cookie theft and complete administrative account takeover.
Proof of concept and exploitation details have been publicly disclosed. |
|---|
| Источник | ⚠️ https://github.com/Xmyronn/home-service-system-unauth-stored-xss-admin-takeover-code-project.org-.git |
|---|
| Пользователь | imad alvi (UID 97088) |
|---|
| Представление | 08.04.2026 19:16 (19 дни назад) |
|---|
| Модерация | 26.04.2026 10:22 (18 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 359664 [code-projects Home Service System 1.0 Appointment Booking /booking.php fname/lname межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|