[CVE-2023–24231]Inventory Management System — Multiple Stored XSS Vulnerability
Today is a great day for me as I have successfully discovered multiple stored XSS vulnerabilities in an open-source inventory management system that I found on GitHub. After putting in a significant amount of effort, I was able to uncover several vulnerabilities. The most notable of these was the ability to insert an XSS payload into the system at five different points.
I will be demonstrating the use of a Cross-Site Scripting (XSS) payload for a Proof of Concept (POC) in this article.
Cross-Site Scripting (XSS) payload
test_xss<image src/onerror=alert("test_xss_at_Brand_Name")>
test_xss<image src/onerror=alert("test_xss_at_Categories_Name")>
test_xss<image src/onerror=alert("test_xss_at_Product_Name")>
test_xss<image src/onerror=alert("test_xss_at_Client_Name")>
test_xss<image src/onerror=alert("test_xss_at_Client_Contact")>Proof of concept
1. We navigate to the root page and log in as admin.
2. We click on Brand Menu.
3. We click on Add Brand Button.
4. We use Cross-Site Scripting (XSS) payload as Brand Name and After that, we click on Save Changes.
5. The payload will be executed.
6. We click on Category Menu.
7. We click on Add Categories Button.
8. We use Cross-Site Scripting (XSS) payload as Categorie Name and After that, we click on Save Changes.
9. The payload will be executed.
10. We click on Product Menu.
11. We click on Add Product Button.
12. We use Cross-Site Scripting (XSS) payload as Product Name and After that, we click on Save Changes.
13. The payload will be executed.
14. We click on Orders Menu > Add Orders.
15. We use Cross-Site Scripting (XSS) payload as Client Name and Client Contact. After that, we click on Save Changes.
16. We click on Orders Menu > Manage Orders.
17. The payload will be executed. After that, we click on the OK button.
18. The payload will be executed.
CVEs
- CVE-2023-24231
- CVE-2023–24232
- CVE-2023–24233
- CVE-2023–24234
- CVE-2023–24235
