header-logo
Suggest Exploit
vendor:
Queue Management System
by:
Kislay Kumar
8.8
CVSS
HIGH
Stored XSS
79
CWE
Product Name: Queue Management System
Affected Version From: 4.0.0
Affected Version To: 4.0.0
Patch Exists: No
Related CWE: N/A
CPE: 2.3:a:codekernel:queue_management_system:4.0.0
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Kali Linux
2020

Queue Management System 4.0.0 – “Add User” Stored XSS

Queue Management System 4.0.0 is vulnerable to stored XSS. An attacker can exploit this vulnerability by inserting malicious payloads in the "First Name", "Last Name" and "Email" fields of the "Add User" page. When an admin user visits the "User List" page, the malicious payload will be executed, resulting in the execution of arbitrary JavaScript code in the context of the admin user's browser.

Mitigation:

The vendor should validate user input and sanitize it before storing it in the database.
Source

Exploit-DB raw data:

# Exploit Title: Queue Management System 4.0.0 - "Add User" Stored XSS

# Exploit Author: Kislay Kumar
# Date: 2020-12-21
# Google Dork: N/A
# Vendor Homepage: http://codekernel.net/
# Software Link: https://codecanyon.net/item/queue-management-system/22029961
# Affected Version: Version 4.0.0
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Kali Linux

Step 1. Login as admin.

Step 2. Select "Users" from menu and click on "Add User .

Step 3. Insert payload - "><svg/onload=alert(1)> in "Firtst Name" , " Last
Name "and " Email ".

Step 4. Now open "User List " from menu and you will get alert box.

Navigation

Suggest Exploit

Services By CQR