CVE-2021–40577
Stored Cross-Site Scripting.
👨🏼💻 Discovered by Tushar Jadhav
Profile : https://www.linkedin.com/in/tushar-jadhav-7a43b4171/
📄 Vulnerable version: 1.0
🔗 Vendor Homepage: https://www.sourcecodester.com/
Product: Online Enrollment Management System in PHP and Paypal Payment System
Vulnerability Title: Stored Cross-Site Scripting (XSS)
Detailed description: It was found that when we Add User using the admin login, the Add-Users page is given a POST request containing the Name field box which has an input field And Name is the parameter that is vulnerable to Stored-XSS.
Steps-To-Reproduce:
- Login into Online Enrollment Management System admin panel.
2. Now go to the New > User.
3. Now paste the below payload in the Name field.
<script>(document.cookie)</script>
4. Fill Other Deatils and Now click on the Save button.
5. The XSS will be triggered.
Proof-of-concept:
Thanks For Reading !!!