Multi Branch School Management System 3.5 - "Create Branch" Stored XSS

vendor:

Multi Branch School Management System

by:

Kislay Kumar

8.8

CVSS

HIGH

Stored XSS

CWE

Product Name: Multi Branch School Management System

Affected Version From: 3.5

Affected Version To: 3.5

Patch Exists: NO

Related CWE: N/A

CPE: a:ramomcoder:multi_branch_school_management_system:3.5

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2020

Multi Branch School Management System 3.5 – “Create Branch” Stored XSS

A stored cross-site scripting vulnerability exists in Multi Branch School Management System 3.5. An attacker can exploit this vulnerability by inserting malicious payloads into the 'Branch Name', 'School Name', 'Mobile No.', 'Currency', 'Symbol', 'City' and 'State' fields when creating a new branch. When the victim views the page, the malicious payload will be executed.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized before being stored or displayed. Additionally, the application should be configured to use a secure HTTP connection.

Source

Exploit-DB raw data:

# Exploit Title: Multi Branch School Management System 3.5 - "Create Branch" Stored XSS
# Exploit Author: Kislay Kumar
# Date: 2020-12-21
# Google Dork: N/A
# Vendor Homepage: https://www.ramomcoder.com/
# Software Link: https://codecanyon.net/item/ramom-multi-branch-school-management-system/25182324
# Affected Version: 3.5
# Category: Web Application
# Tested on: Kali Linux

Step 1. Login as Super Admin.

Step 2. Select "Branch" from menu and after that click on "Create Branch".

Step 3. Insert payload - "><img src onerror=alert(1)> in "Branch Name" ,
"School Name" , "Mobile No." , "Currency" , "Symbol" , "City" and "State".

Step 4. Now  Click on "Save" and  you will get a list of alert boxes.