| Title | SourceCodester Online Banking System July 14, 2021 - 17:13 Cross Site Scripting |
|---|
| Description | A Stored Cross-Site Scripting (XSS) vulnerability exists in the User Profile Update functionality of the application. The application fails to properly sanitize user‑supplied input in the First Name field before storing it in the database and rendering it across multiple pages.
An attacker can inject arbitrary JavaScript code into the First Name field, which will be executed every time any user (including administrators) views a page where that profile information is displayed. This allows attackers to perform actions such as session hijacking, credential theft, DOM manipulation, and full takeover of any account that loads the malicious profile data.
Proof of Concept Link:
https://mega.nz/file/T4hjCagS#87U1JgRHZWzXW2HTpBIG-H9dJ_w9kUERmaaQqJyB5_Q
Root Cause:
Improper neutralization and output encoding of user-controlled data (CWE‑79).
Impact:
Persistent JavaScript execution
Account takeover via session theft
Malware or phishing injection
Credential harvesting
Administrative compromise (if admin views the malicious profile)
Attack Vector:
Remote attacker with a low-privilege account can exploit the issue by modifying their profile details.
Sincerely,
Fatma Trabelsi |
|---|
| Source | ⚠️ https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html |
|---|
| User | fatmatrabelsi (UID 92973) |
|---|
| Submission | 11/26/2025 02:41 (5 months ago) |
|---|
| Moderation | 12/07/2025 16:30 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 334663 [SourceCodester Online Banking System 1.0 /?page=user First Name/Last Name cross site scripting] |
|---|
| Points | 20 |
|---|