Skip to content

Instantly share code, notes, and snippets.

@enferas

enferas/CVE-2023-23026.md

Last active January 21, 2023 12:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save enferas/9cf373ee2a71b880974c7461ad989216 to your computer and use it in GitHub Desktop.
Save enferas/9cf373ee2a71b880974c7461ad989216 to your computer and use it in GitHub Desktop.
Download ZIP
XSS in Sales Management System Source Codester
Raw
CVE-2023-23026.md

CVE-2023-23026 is assigned

Link: https://www.sourcecodester.com/php-codeigniter-simple-sales-management-system-source-code

Mutiple XSS vulnerabilities.

The input (sources) are saved directly in the database.

// Controllers/Categories.php
$data = $this->input->post();
if ($insert_id = DB::save(TABLE_CATEGORIES, $data)) {
  //...
}

// Controllers/Orders.php
$data = $this->input->post();
if(DB::save(TABLE_ORDERS, $data)){
  //...
}

// Controllers/Products.php
$data = $this->input->post();
if ($insert_id = DB::save(TABLE_PRODUCTS, $data)) {
  //...
}

Then the data will pass from the database to the views without sanitizing. 18 different sinks for XSS vulnerabilities.

For example:

// views/orders/print.php
<?php
$product_name = DB::get_cell(TABLE_PRODUCTS, $where, 'product_name');
?>
<td><?=$product_name ?></td>
<td><?=$products[$i]->qty ?></td>

// views/orders/manage.php
<td class="px-2 py-1 align-middle" id="customer_name-<?=$row->order_id ?>"><?=ucwords($row->customer_name) ?></td>

// views/orders/form.php
<?php foreach(DB::get(TABLE_PRODUCTS) as $row): ?>
  <option value="<?=$row->product_id ?>"><?=ucfirst($row->product_name) ?> - <?=$row->product_price ?></option>
<?php endforeach; ?>

// views/products/manage.php
<small class="label label-light text-black border rounded-pill" ><?=ucfirst($row->category_name) ?></small>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment