Gửi #838683: code-projects Project Management System 1.0 Cross Site Scriptingthông tin

tiêu đềcode-projects Project Management System 1.0 Cross Site Scripting
Mô tảPMS contains a stored cross-site scripting (XSS) vulnerability in its mail and feedback workflow. User-controlled content is written to the backend database and later rendered in HTML without output encoding. As a result, a malicious payload can be stored through the mail compose form or the feedback submission path and will execute when another user opens the corresponding mail view or feedback page. The issue affects both the Faculty and Student mail modules, as well as the feedback display flow. The root cause is unsafe handling of untrusted input in both storage and presentation. In the mail modules, message content is inserted into the database and later echoed back into the page without escaping. In the feedback workflow, the submitted feedback value is stored in the project record and then rendered directly inside a <textarea> without encoding. During testing, the payload <img src=x onerror=alert(1)> was successfully stored and later executed in the browser, confirming the presence of a reproducible stored XSS condition.
Nguồn⚠️ https://github.com/MyMySSS/CVE123/blob/main/cve4/PMS_CVE_Submission.md
Người dùng
 MyMy (UID 96642)
Đệ trình27/05/2026 11:56 (cách đây 1 tháng)
Kiểm duyệt27/06/2026 20:29 (1 month later)
Trạng tháiđược chấp nhận
Mục VulDB374499 [code-projects Project Management System 1.0 Mail Compose Page /mail.php Tập lệnh chéo trang]
điểm20

Do you need the next level of professionalism?

Upgrade your account now!