Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting

vendor:

Regis Inventory And Monitoring System

by:

George Tsimpidas

8.8

CVSS

HIGH

Stored Cross-Site Scripting

CWE

Product Name: Regis Inventory And Monitoring System

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:regis_inventory_and_monitoring_system:1.0.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux 2020.4

2021

Regis Inventory And Monitoring System 1.0 – ‘Item List’ Persistent Cross-Site Scripting

Regis Inventory And Monitoring System, suffers from a stored cross site scripting on Item's List Category. An attacker can exploit this vulnerability by logging in as an admin, visiting the item.php page, clicking add a New Item and inputting a malicious payload on the 'Generic Name' textbox. After inputting the Item values and submitting the form, it will trigger an XSS pop-up.

Mitigation:

Input validation should be used to prevent malicious code from being stored in the database. Additionally, output encoding should be used to prevent malicious code from being executed.

Source

Exploit-DB raw data:

# Title: Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting
# Exploit Author: George Tsimpidas
# Date: 2021-03-25
# Vendor Homepage: www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/regis_inventory.zip
# Version : 1.0.0
# Tested on: Kali Linux 2020.4
# Category: Webapp

# Description

Regis Inventory And Monitoring System, suffers from a stored cross site scripting on Item's List Category

#PoC

1. Login as admin : http://localhost/regis_inventory/index.php
2. Visit : http://localhost/regis_inventory/item.php
3. Click add a New Item and input your payload on "Generic Name" textbox.

Payload : <script>alert("XSS")</script>

4. After inputting the Item values and submitting the form, it will trigger an XSS pop-up