EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting

vendor:

User Registration & Login System with Admin Panel

by:

Soushikta Chowdhury

8.8

CVSS

HIGH

Stored Cross Site Scripting

CWE

Product Name: User Registration & Login System with Admin Panel

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: egavilanmedia:user_registration_and_login_system_with_admin_panel

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10

2020

EgavilanMedia User Registration & Login System with Admin Panel 1.0 – Stored Cross Site Scripting

EgavilanMedia User Registration & Login System with Admin Panel 1.0 is vulnerable to Stored Cross Site Scripting. An attacker can inject malicious JavaScript code in the Full Name parameter of the registration page. The malicious code will be stored in the database and will be executed when the Admin Panel is accessed.

Mitigation:

Input validation should be done on the server side to prevent malicious code injection.

Source

Exploit-DB raw data:

# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting
# Exploit Author: Soushikta Chowdhury
# Vendor Homepage:  http://egavilanmedia.com
# Software Link:  http://egavilanmedia.com/user-registration-and-login-system-with-admin-panel/
# Version: 1.0
# Tested on: Windows 10
# Contact: https://www.linkedin.com/in/soushikta-chowdhury/

Vulnerable Parameters: Full Name
Steps for reproduce:
1. Go to registration page
2. fill in the details & put <script>alert("soushikta")</script> payload in Full name.
3. Now goto Admin Panel. After entering go to Manage Users and go to the last page to check the newly added user. We could see that our payload gets executed.