| Title | Bdtask Bhojon All-In-One Restaurant Management System Latest Stored Cross-Site Scripting |
|---|
| Description | A critical Stored Cross-Site Scripting (Persistent XSS) vulnerability exists in Bdtask’s Bhojon All-In-One Restaurant Management System, specifically within the Profile Update / User Information module. The application fails to sanitize or encode user-supplied input before storing it and rendering it back on the profile page. By injecting a payload such as <script>alert(1)</script> into the Profile field, an attacker can store malicious JavaScript that executes every time the profile page is loaded. This results in persistent script execution across sessions and users, enabling session theft, account takeover, privilege escalation, admin compromise, phishing attacks, and malware injection. The issue affects the latest demo version available at the vendor’s site. |
|---|
| Source | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/12 |
|---|
| User | 4m3rr0r (UID 85795) |
|---|
| Submission | 01/16/2026 11:24 (5 months ago) |
|---|
| Moderation | 01/29/2026 09:44 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 343360 [Bdtask Bhojon All-In-One Restaurant Management System up to 20260116 User Information /dashboard/home/profile fullname cross site scripting] |
|---|
| Points | 20 |
|---|