| tiêu đề | code-projects Simple ChatBox In PHP 1.0 Cross Site Scripting |
|---|
| Mô tả | The Simple Chatbox in PHP v1.0 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the chat message handling functionality.
The vulnerability exists in the following endpoint:
/SimpleChatbox_PHP/chatbox/insert.php
The application accepts user-supplied input through the msg parameter via an HTTP GET request. This parameter is used to submit chat messages, which are then stored by the application and displayed within the chat interface.
The application does not implement proper input validation or output encoding when processing the msg parameter. User input is accepted without sanitization, stored in the backend (e.g., database or file), and later rendered directly into the HTML response. Because of this, malicious HTML or JavaScript code embedded in the input is interpreted and executed by the browser.
An attacker can exploit this vulnerability by crafting a malicious request containing a JavaScript payload within the msg parameter. For example:
msg=Your message...<script>alert(1)</script>
Once the payload is submitted, it is stored by the application and becomes part of the chat history. Whenever any user accesses the chat interface and the stored message is displayed, the injected script is executed automatically in their browser.
This behavior demonstrates a Stored (Persistent) Cross-Site Scripting vulnerability, as the malicious payload persists within the system and affects all users who view the compromised content.
The vulnerability arises due to:
Lack of input validation for user-controlled data
Absence of output encoding before rendering data in HTML
Direct insertion of user input into the application response
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the application. This can lead to session hijacking, cookie theft, unauthorized actions performed on behalf of users, and injection of malicious content into the chat system.
Because the chat functionality is typically accessible to multiple users, the impact of this vulnerability is amplified, as a single injected payload can affect all users interacting with the application. |
|---|
| Nguồn | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Simple%20Chatbox%20PHP%20msg%20Parameter.md |
|---|
| Người dùng | AhmadMarzook (UID 96211) |
|---|
| Đệ trình | 03/04/2026 20:31 (cách đây 11 ngày) |
|---|
| Kiểm duyệt | 12/04/2026 20:11 (9 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 357039 [code-projects Simple ChatBox đến 1.0 Endpoint /chatbox/insert.php msg Tập lệnh chéo trang] |
|---|
| điểm | 20 |
|---|