Last active
November 20, 2024 01:49
-
-
Save Esquirez/0c41e0279ca11d9bfc52c3938041d935 to your computer and use it in GitHub Desktop.
Cross-Site Scripting (XSS) vulnerabilities in Client Management System Version 1.2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Reflected Cross Site Scripting (XSS) | |
| # Date: 19/10/2024 | |
| # Exploit Author: Esquire | |
| # Vendor Homepage: https://phpgurukul.com/ | |
| # Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/ | |
| # Version: 1.2 | |
| # Tested on: Kali Linux | |
| # CVE : CVE-2024-51209 | |
| # Description # | |
| Client Management System 1.2 is vulnerable to reflected cross site scripting because we can inject a script tag inside the search input field and affect what user sees on the page | |
| # Proof of Concept (PoC) : Exploit # | |
| 1) Go to: http://localhost/clientms/admin/search-invoices.php or http://localhost/clientms/client/search-invoices.php | |
| 2) Login as admin using test credentials: admin/Test@123 or as client: abc@gmail.com/Test | |
| 3) Go to: http://localhost/clientms/admin/admin-profile.php | |
| 4) Enter the following payload in the search input field: '<script>alert('XSS')</script>' or '<script>alert(1)</script>' | |
| 5) Next click the search button to enter the script | |
| 6) If the web application is vulnerable, it will execute the script and display an alert box with the message "XSS" or "1". |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment