vendor:
PHP Business Directory
by:
larrycompress
8,8
CVSS
HIGH
Reflected XSS, Stored XSS
79, 89
CWE
Product Name: PHP Business Directory
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2016
PHP Business Directory – Multiple Vulnerabilities
The PHP Business Directory is vulnerable to Reflected XSS and Stored XSS. Reflected XSS can be exploited by sending a maliciously crafted URL to the victim, which when clicked, will execute the malicious code. Stored XSS can be exploited by sending a maliciously crafted URL to the victim, which when clicked, will execute the malicious code stored in the database. The malicious code can be injected into the URL parameters such as businessname, slogan, businesslicence, address, city, suburb, businessstate, country, zippostcode, telephone1, telephone2, mobilecell, fax, email, website, socialmedia1, socialmedia2, socialmedia3, productservice, manager, paymentsaccepted, and categoryname.
Mitigation:
Input validation should be used to prevent malicious code from being injected into the URL parameters. Access control should be used to restrict access to the administration web interface.
