[CVE-2023–36941] XSS on Online Fire Reporting System V-1.2
Discovered by: Ridhesh Gohil
Vulnerable Version: V- 1.2
Vendor Homepage: https://phpgurukul.com/online-fire-reporting-system-using-php-and-mysql/
What is XSS?
Cross-Site Scripting (XSS) is a web application vulnerability when an attacker injects malicious scripts into a trusted website. These scripts can be written in various scripting languages, such as JavaScript, and are executed by unsuspecting users’ browsers. XSS attacks can have many negative consequences, including stealing sensitive user information, hijacking user sessions, or defacing websites.
Bug Description:
A cross-site scripting (XSS) vulnerability in the Online Fire Reporting System Using PHP and MySQL allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Team Name, Team Leader Name, and Tem Member fields.
Steps to Reproduce
- Go to this URL http://localhost/ofrs/admin/dashboard.php and in the Fire Control Team Section click on Add .
2. After that inject this XSS payload <script>alert(1)</script> in the Team name, Team Leader name, and Team Member Fields then click on submit button.
3. After that the XSS pop up will come……………………….
I requested for CVE Id for this vulnerability from https://cveform.mitre.org and a few weeks later I received mail that my request was approved this way I got assigned CVE-2023–36941.
Special Thanks to my mentors Rohit Gautam sir and Shifa Cyclewala ma’am.❤🤗
Thank you so much for reading. 🤗
My LinkedIn ID: https://www.linkedin.com/in/ridhesh-gohil
