[CVE-2023–36375] XSS ON HOSTEL MANAGEMENT SYSTEM.

Discovered by: Ridhesh Gohil

Vulnerable Version: V- 2.1

Vendor Homepage: https://phpgurukul.com/hostel-management-system/

Hello, I m Ridhesh Gohil and I m Back with a new blog to share my experience of discovering a Third CVE (Common Vulnerabilities and Exposures) by uncovering an XSS (Cross-Site Scripting) vulnerability in a Hostel Management System.

I was working on a PHP open-source software named Hostel Management System and it was hosted locally on my system through XAMPP.

Understanding XSS Vulnerabilities.

Cross-Site Scripting (XSS) is a web application vulnerability that allows attackers to inject malicious scripts into trusted websites. These scripts execute on the users’ browsers, potentially compromising their security and privacy. Identifying and mitigating XSS vulnerabilities is crucial to protect users and maintain the integrity of web applications, including Hostel Management Systems.

When I was testing the program I was checking the functionality so when I see the option of book hostel and clicked on it then I see so many fields and then the Guardian name, Guardian Relation, Complimentary Address, City, Permanent Address, and City Fields are Vulnerable to XSS.

Steps to Reproduce.

1. Go to Hostel Management System Website, login with credentials, and click on book hostel.

2. Add the payload in the Guardian name, Guardian Relation, Complimentary Address, City, Permanent Address, and City Fields, and click on the register.

3. After that click on My Room and then pop will come.

I requested for CVE Id for this vulnerability from https://cveform.mitre.org and a few weeks later I received mail that my request was approved this way I got assigned CVE-2023–36375.

Special Thanks to my mentors Rohit Gautam sir and Shifa Cyclewala ma’am.❤🤗

Thank you so much for reading. 🤗

My LinkedIn ID: https://www.linkedin.com/in/ridhesh-gohil