| 标题 | PHPGurukul Bus Pass Management System None Stored Cross-Site Scripting (XSS) |
|---|
| 描述 | A Stored Cross-Site Scripting (XSS) vulnerability has been identified in PHPGurukul Bus Pass Management System version 1.0. This vulnerability resides on the administrative profile page, specifically at /buspassms/admin/admin-profile.php. An attacker with administrative privileges can inject malicious script into an input field (e.g., name, contact details, or other editable profile fields) on this page. The injected script is then permanently stored in the application's database and executed every time the /admin/admin-profile.php page is accessed by any user, including other administrators.
Steps to reproduce :
step 1: go to the site
step 2: then move on profile page
step3 : edit the profile name , and xss payload on there .
step 4: after payload triggered the alert will get on that site in everywhere when i click .
Impact:
Stored XSS vulnerabilities pose a significant risk, potentially leading to:
Administrative Account Takeover: If an attacker can inject scripts that steal session cookies of other administrators.
Website Defacement: Altering the appearance or content of the administrator profile page or other parts of the application.
Malware Distribution: Redirecting users to malicious websites or forcing drive-by downloads.
Privilege Escalation: Performing unauthorized actions on behalf of a victimized administrator.
Data Exfiltration: Stealing sensitive information displayed on the affected page . |
|---|
| 来源 | ⚠️ http://localhost/buspassms/buspassms/admin/admin-profile.php |
|---|
| 用户 | Anzil (UID 86393) |
|---|
| 提交 | 2025-06-10 13時45分 (11 月前) |
|---|
| 管理 | 2025-06-19 09時26分 (9 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 313292 [PHPGurukul Bus Pass Management System 1.0 Profile Page /admin/admin-profile.php profile name 跨网站脚本] |
|---|
| 积分 | 20 |
|---|