| 标题 | projectworlds Advanced Library Management System 1 Improper Neutralization of Alternate XSS Syntax |
|---|
| 描述 | A stored cross-site scripting (XSS) vulnerability was identified in Advanced Library Management System V1.0. The issue occurs in the /edit_admin.php?admin_id=1 endpoint, where the firstname POST parameter is stored in the database and later rendered in the application without proper escaping. An authenticated attacker can inject malicious JavaScript (e.g., <script>alert(/XSS/)</script>), which will execute whenever the affected page is viewed. Successful exploitation could lead to session hijacking, account takeover, CSRF, or distribution of malicious content to other users. The root cause is insufficient input validation and missing context-aware output encoding. Recommended fixes include applying htmlspecialchars() for output, enforcing strict input validation, implementing a Content Security Policy (CSP), and sanitizing existing stored values. |
|---|
| 来源 | ⚠️ https://github.com/ChenGuangHuangHun/CVE/issues/2 |
|---|
| 用户 | chenguang (UID 91178) |
|---|
| 提交 | 2025-10-01 08時25分 (7 月前) |
|---|
| 管理 | 2025-10-07 13時44分 (6 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 327360 [projectworlds Advanced Library Management System 1.0 /edit_admin.php firstname 跨网站脚本] |
|---|
| 积分 | 20 |
|---|