Sales and Inventory System for Grocery Store 1.0 - Multiple Stored XSS

vendor:

Sales and Inventory System for Grocery Store

by:

Vijay Sachdeva (pwnshell)

8.8

CVSS

HIGH

Stored XSS

CWE

Product Name: Sales and Inventory System for Grocery Store

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:sales_and_inventory_system_for_grocery_store

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2020

Sales and Inventory System for Grocery Store 1.0 – Multiple Stored XSS

Stored XSS vulnerability exists in Sales and Inventory System for Grocery Store 1.0. An attacker can exploit this vulnerability by logging in to the application with admin credentials, clicking on 'Customer' on the left side, then clicking 'Add Customer'. The attacker can then input a malicious payload in the 'First Name' field of the 'Add Customer' form. When the attacker clicks on 'Save', the payload will be stored and will be triggered whenever the 'Customer' page is clicked. Stored XSS can also be found on the 'Product' page, where the attacker can select any product and then go to 'Action' to edit it. The attacker can then input a malicious payload in any of the fields and the XSS payload will be triggered.

Mitigation:

Input validation should be used to prevent malicious payloads from being stored in the application. Additionally, the application should be configured to only accept input from trusted sources.

Source

Exploit-DB raw data:

# Exploit Title: Sales and Inventory System for Grocery Store 1.0 - Multiple Stored XSS
# Exploit Author: Vijay Sachdeva (pwnshell)
# Date: 2020-12-23
# Vendor Homepage: https://www.sourcecodester.com/php/11238/sales-and-inventory-system-grocery-store.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11238&title=Sales+and+Inventory+System+for+Grocery+Store+using+PHP%2FPDO+Full+Source+Code
# Tested on Kali Linux

Step 1: Log in to the application with admin credentials

Step 2: Click on "Customer" on the left side, then click "Add Customer".

Step 3. Input "<IMG """><SCRIPT>alert("XSS")</SCRIPT>">" in "First Name" field of the "Add Customer" form.

Step 4. Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on the "Customer" page, your XSS payload will be triggered.

Note: Stored XSS can also be found on the "Product" page, select any product and then go to "Action" to edit it. Input your payload "<IMG"""><SCRIPT>alert("XSS")</SCRIPT>">" in any of the field and your XSS payload will trigger.