| Title | projectworlds Lawyer Management System v1.0 Cross Site Scripting |
|---|
| Description | During a security assessment of the Lawyer Management System, a stored cross-site scripting (XSS) vulnerability was discovered in the lawyer registration functionality. The application fails to validate or sanitize the ‘first_Name’ input field during registration, and subsequently outputs this data unsanitized on the public ‘/lawyers.php’ page. An attacker can register as a lawyer with a malicious payload in the first name field. Once the account is activated (or automatically activated), any visitor – including administrators and other users – who browses the lawyer list will trigger the payload. This can lead to complete compromise of user sessions and sensitive data exposure. |
|---|
| Source | ⚠️ https://github.com/eqiya17/collection-of-vulnerability/issues/1 |
|---|
| User | WangYiQi (UID 96144) |
|---|
| Submission | 03/09/2026 09:46 (1 month ago) |
|---|
| Moderation | 03/22/2026 13:05 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352434 [projectworlds Lawyer Management System 1.0 /lawyers.php first_Name cross site scripting] |
|---|
| Points | 20 |
|---|