| Title | code-projects Intern Membership Management System published July 27, 2025 Cross Site Scripting |
|---|
| Description | Summary
The form page fill_details.php reflects unsanitized user input ($_POST) in the error message display, enabling reflected XSS.
Root Cause
The error message constructed using user input ($_POST) is directly embedded into HTML output without proper encoding. For example:
echo "<div class='error-message'>$error_message</div>";
Reproduction
Send a POST request to fill_details.php with malicious script embedded in the email field:
POST /intern/fill_details.php
Content-Type: application/x-www-form-urlencoded
email=<script>alert(1)</script>&insert_button=1
If email validation fails, the raw error message may be rendered as:
<div class='error-message'>Invalid Email Address<script>alert(1)</script></div>
This will execute the script in the browser.
Impact
An attacker can inject arbitrary JavaScript in the user’s browser, potentially leading to session hijacking, phishing, or redirecting the user to malicious websites.
|
|---|
| Source | ⚠️ https://github.com/shenxianyuguitian/intern-mms-vuln-XSS/blob/main/README.md |
|---|
| User | xuanyuesanshi (UID 88126) |
|---|
| Submission | 07/29/2025 10:57 (9 months ago) |
|---|
| Moderation | 07/30/2025 10:38 (24 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 318292 [code-projects Intern Membership Management System 1.0 Error Message fill_details.php email cross site scripting] |
|---|
| Points | 20 |
|---|