CVE-2024–30988: Cross-Site Scripting Vulnerability in Client Management System using PHP & MySQL 1.1 by Phpgurukul

Introduction: Cross-Site Scripting (XSS) vulnerabilities continue to pose a significant threat to web applications, allowing attackers to execute arbitrary code and compromise sensitive information. Today, I unveil a XSS vulnerability discovered in the Client Management System using PHP & MySQL 1.1 developed by Phpgurukul. This vulnerability, identified as CVE-2024–30988, enables attackers to execute arbitrary code via the “Search” parameter in the “/search-invoices.php” page.

Description: The XSS vulnerability in the Client Management System arises due to insufficient input validation in the “searchdata” parameter within the “/search-invoices.php” page. Attackers can inject malicious scripts into this parameter. Subsequently, when the victim searches using the affected search bar, the injected script is executed in their browser.

Proof of Concept (POC): To exploit this vulnerability, attackers can follow these steps:

1. Navigate to the “/search-invoices.php” page within the Client Management System.
2. In the search bar, inject the following XSS payload:

bdks<script>alert(document.domain)</script>aaa

3. Observe the XSS payload being triggered, demonstrating successful exploitation of the vulnerability.

Conclusion: CVE-2024–30988 highlights the importance of proactive security measures in web application development. By addressing vulnerabilities like XSS in the Client Management System, we can enhance the security posture of our digital infrastructure and protect against malicious exploitation. Let us remain vigilant in our efforts to secure sensitive data and safeguard user privacy.

Reference:

Client Management System Project using PHP & MySQL - PHPGurukul

Thank You For Reading!

By: Shanu Nirwan