Cyber Cafe Management System Project (CCMS) 1.0 - Persistent Cross-Site Scripting

vendor:

Cyber Cafe Management System Project

by:

Pruthvi Nekkanti

8.8

CVSS

HIGH

Persistent Cross-Site Scripting

CWE

Product Name: Cyber Cafe Management System Project

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: N/A

CPE: cpe:a:phpgurukul:cyber_cafe_management_system_project:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2020

Cyber Cafe Management System Project (CCMS) 1.0 – Persistent Cross-Site Scripting

This vulnerability can results attacker to inject the XSS payload in admin username and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.

Mitigation:

Input validation should be done on the server-side. Sanitize the user input before using it. Use the latest version of the software.

Source

Exploit-DB raw data:

# Exploit Title: Cyber Cafe Management System  Project (CCMS) 1.0 - Persistent Cross-Site Scripting
# Date: 04-12-2020
# Exploit Author: Pruthvi Nekkanti
# Vendor Homepage: https://phpgurukul.com
# Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
# Version: 1.0
# Tested on: Kali Linux

Attack vector:
This vulnerability can results attacker to inject the XSS payload in admin username and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.

Vulnerable Parameters: Admin Username.

Steps-To-Reproduce:
1. Go to the Product admin panel change the admin username
2. Put this payload in admin username field:"><script>alert(document.cookie)</script>
3. Now go to the website and the XSS will be triggered.