header-logo
Suggest Exploit
vendor:
Hostel Management System
by:
Chinmay Vishwas Divekar
4.3
CVSS
MEDIUM
Cross Site Scripting (XSS)
79
CWE
Product Name: Hostel Management System
Affected Version From: 2.1
Affected Version To: 2.1
Patch Exists: NO
Related CWE:
CPE: //a:phpgurukul:hostel_management_system:2.1
Metasploit:
Other Scripts:
Platforms Tested: PopOS_20.10
2021

Hostel Management System 2.1 – Cross Site Scripting (XSS)

A Cross Site Scripting (XSS) vulnerability exists in Hostel Management System 2.1, which allows an attacker to inject malicious JavaScript code into the application. By entering a malicious payload into various input fields, such as Correspondence Address, Guardian Relation, Permanent Address, Guardian Name, Guardian Address, Student Name, and Student Address, an attacker can execute arbitrary JavaScript code in the victim's browser.

Mitigation:

Input validation should be used to prevent malicious code from being injected into the application. Additionally, the application should be configured to use a Content Security Policy (CSP) to prevent malicious code from being executed.
Source

Exploit-DB raw data:

# Exploit Title: Hostel Management System 2.1 - Cross Site Scripting (XSS)
# Date: 26/12/2021
# Exploit Author: Chinmay Vishwas Divekar
# Vendor Homepage: https://phpgurukul.com/hostel-management-system/
# Software Link: https://phpgurukul.com/hostel-management-system/
# Version: V 2.1
# Tested on: PopOS_20.10

*Steps to reproduce*

1) Open book-hostel page using following url https://localhost/hostel/book-hostel.php
2) Enter xss payload  <img src=x onerror=alert(String.fromCharCode(88,83,83));> on various input fields.
3) Server Accepted our Payload in input fileds.

Affected input fields: Correspondence Address, Guardian Relation, Permanent Address

Navigation

Suggest Exploit

Services By CQR