vendor:
Faculty Evaluation System using PHP/MySQLi with Source Code
by:
Vijay Sachdeva (pwnshell)
3.1
CVSS
MEDIUM
Stored XSS
79
CWE
Product Name: Faculty Evaluation System using PHP/MySQLi with Source Code
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: a:sourcecodester:faculty_evaluation_system_using_phpmysqli_with_source_code
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Kali Linux
2020
Faculty Evaluation System 1.0 – Stored XSS
A stored XSS vulnerability exists in the Faculty Evaluation System 1.0 application. An attacker can exploit this vulnerability by logging in to the application with admin credentials, clicking on Questionnaires, then clicking 'Action' for any Academic Year and then clicking manage. The attacker can then input a malicious script in the 'Question' field of the Question form and click 'Save'. This will trigger the stored XSS payloads. Whenever the attacker clicks on Questionnaires, clicks action for any academic year, and then manage, the XSS payloads will be triggered for that 'Academic Year'.
Mitigation:
Input validation should be used to prevent malicious scripts from being stored in the application. Additionally, the application should be configured to use a Content Security Policy (CSP) to prevent the execution of malicious scripts.
