header-logo
Suggest Exploit
vendor:
Complaint Management System
by:
Besim ALTINOK
7.5
CVSS
HIGH
Persistent Cross-Site Scripting
79
CWE
Product Name: Complaint Management System
Affected Version From: 4.2
Affected Version To: 4.2
Patch Exists: NO
Related CWE:
CPE: a:phpgurukul:complaint_management_system:4.2
Metasploit:
Other Scripts:
Platforms Tested: Xampp

Complaint Management System 4.2 – Persistent Cross-Site Scripting

The Complaint Management System 4.2 allows for persistent cross-site scripting (XSS) attacks. The vulnerability exists in the user registration functionality and in the admin dashboard where the fullName field is not properly filtered. An attacker can insert malicious code into the fullName field, which will be executed when displayed on the admin dashboard.

Mitigation:

To mitigate this vulnerability, input validation and output encoding should be implemented. All user-supplied data should be properly sanitized and filtered to prevent the execution of malicious code.
Source

Exploit-DB raw data:

# Exploit Title: Complaint Management System 4.2 - Persistent Cross-Site Scripting
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/complaint-management-sytem/
# Version: v4.2
# Tested on: Xampp
# Credit: İsmail BOZKURT

------ Details:

1- Vulnerable code is here: http://localhost/cms/users/registration.php
2- Vulnerable code:

Insert user registration information to the DB without filtering.

if(isset($_POST['submit']))
{
$fullname=$_POST['fullname'];
$email=$_POST['email'];
$password=md5($_POST['password']);
$contactno=$_POST['contactno'];
$status=1;
$query=mysqli_query($con,"insert into
users(fullName,userEmail,password,contactNo,status)
values('$fullname','$email','$password','$contactno','$status')");
$msg="Registration successfull. Now You can login !";
}
?>

3- In the admin dashboard:

Get fullName from DB and print it without any filtering

<tr>
<td colspan="2"><b><?php echo $row['fullName'];?>'s profile</b></td>
</tr>

4- If we insert "fullName" as "script>prompt(2)</script>", we can perform
this attack as "Stored XSS"

5- Picture in the Attachemnt
---------------------------------------------------

Navigation

Suggest Exploit

Services By CQR