header-logo
Suggest Exploit
vendor:
Police Crime Record Management System
by:
Ömer Hasan Durmus
7.5
CVSS
HIGH
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: Police Crime Record Management System
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE: a:police_crime_record_management_system:1.0
Metasploit:
Other Scripts:
Platforms Tested: Linux, Windows
2021

Police Crime Record Management System 1.0 – ‘Multiple’ Stored Cross-Site Scripting (XSS)

The Police Crime Record Management System 1.0 is vulnerable to 'Multiple' Stored Cross-Site Scripting (XSS) attacks. An attacker can exploit this vulnerability by injecting malicious code in the 'Firstname' or 'Othernames' field when adding staff. This allows the attacker to execute arbitrary JavaScript code in the context of the admin user's browser.

Mitigation:

To mitigate this vulnerability, it is recommended to properly sanitize and validate user input before storing or displaying it. Input filtering and output encoding techniques should be implemented.
Source

Exploit-DB raw data:

# Exploit Title: Police Crime Record Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 12/08/2021
# Exploit Author: Ömer Hasan Durmuş
# Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html
# Version: v1.0
# Category: Webapps
# Tested on: Linux/Windows

Step 1 : Login to admin account in http://TARGET/ghpolice/login.php default credentials. (1111:admin123)
Step 2 : Then click on the "Add Staff"
Step 3 : Input "<img src=x onerror=alert(1)>" in the field "Firstname" or "Othernames"
Step 4 : Click on "Save and Continue"
Step 5 : Update page.

Navigation

Suggest Exploit

Services By CQR