Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS)

vendor:

Book Store Management System

by:

Rajeshwar Singh

5.5

CVSS

MEDIUM

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Book Store Management System

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows/XAMPP

2022

Book Store Management System 1.0.0 – Stored Cross-Site Scripting (XSS)

This exploit allows an attacker to inject malicious code into the Book Store Management System 1.0.0, specifically in the 'Name' input field of the 'Add New System User' page. By inserting the payload '<script>alert("XSS")</script>', an alert box with the message 'XSS' will be executed when the page is visited.

Mitigation:

To mitigate this vulnerability, the application should properly validate and sanitize user input before displaying it on web pages. Additionally, input fields should be configured to reject or sanitize any potentially malicious code.

Source

Exploit-DB raw data:

# Exploit Title: Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS)
# Date: 2022-11-08
# Exploit Author: Rajeshwar Singh
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms_ci.zip
# Tested on: Windows/XAMPP
###########################################################################

Payload use = "><script>alert("XSS")</script>

1. Visit URL http://localhost/bsms_ci/
2. login with admin Credentials 
3. navigate to user Management
4. Click on "Add New System User"
5. Add  payload in "Name" input field 
6. Click save.
7. Visit http://localhost/bsms_ci/index.php/user
8. XSS payload execute.