| Title | SourceCodester Online Railway Reservation System 1.0 Cross Site Scripting |
|---|
| Description | A Stored Cross site Scripting Vulnerability was discoveed in Sourcecoderster's Online Railway Reservation System
Vulnerable product:https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html
The page contact_us.php has functionality to send inquiries of customers to the admin, but the insecure design of /admin/inquiries/index.php makes it vulnerable to send a malicious JavaScript code. Once the admin visits the inquiries page, the JavaScript code gets executed and can be used to steal the admin's cookies.
The index.php file is vulnerable to XSS attacks. XSS: The <?= ucwords($row['fullname']) ?>, <?= ($row['email']) ?>, and <?= ($row['message']) ?> code is vulnerable to XSS attacks because it directly outputs user-input data without proper sanitization or encoding.
Check more details in Advisory |
|---|
| Source | ⚠️ https://github.com/gurudattch/CVEs/blob/main/Sourcecoderster-Online-Railway-Reservation-System-stored-xss.md |
|---|
| User | guru (UID 74056) |
|---|
| Submission | 09/23/2024 13:45 (2 years ago) |
|---|
| Moderation | 09/27/2024 18:47 (4 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 278794 [SourceCodester Online Railway Reservation System 1.0 Message Us Form contact_us.php fullname/email/message cross site scripting] |
|---|
| Points | 20 |
|---|