| Title | itsourcecode Online Petshop Management System 1 Stored XSS in Admin Dashboard Triggered by Customer Orders |
|---|
| Description | The Petshop Online Website is vulnerable to Stored Cross-Site Scripting (XSS) via the order submission form. If a visitor submits an order with a malicious payload in the name or address fields, the input is stored in the database (tblorders) and later displayed directly on the admin dashboard without sanitization or escaping. As a result, the payload executes immediately in the admin’s browser when they view the new order. This allows an attacker to execute arbitrary JavaScript in the context of the admin user, potentially stealing cookies, performing actions on behalf of the admin, or manipulating dashboard content. The vulnerability exists because user input is stored and reflected without validation or output encoding. |
|---|
| Source | ⚠️ https://github.com/drew-byte/Online-Pet-Shop-Management-System_AdminDashboard_Stored-XSS-PoC/blob/main/README.md |
|---|
| User | drewbyte (UID 89075) |
|---|
| Submission | 09/09/2025 09:39 (9 months ago) |
|---|
| Moderation | 09/17/2025 14:12 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 324661 [itsourcecode Online Petshop Management System 1.0 Admin Dashboard availableframe.php name/address cross site scripting] |
|---|
| Points | 20 |
|---|