[CVE-2023–36376] XSS ON HOSTEL MANAGEMENT SYSTEM.

Discovered by: Ridhesh Gohil

Vulnerable Version: V- 2.1

Vendor Homepage: https://phpgurukul.com/hostel-management-system/

Hello, I m Ridhesh Gohil and I m Back with a new blog to share my experience of discovering a Fourth CVE (Common Vulnerabilities and Exposures) by uncovering an XSS (Cross-Site Scripting) vulnerability in a Hostel Management System.

I was working on a PHP open-source software named Hostel Management System and it was hosted locally on my system through XAMPP.

Understanding XSS Vulnerabilities.

Cross-Site Scripting (XSS) is a web application vulnerability that allows attackers to inject malicious scripts into trusted websites. These scripts execute on the users’ browsers, potentially compromising their security and privacy. Identifying and mitigating XSS vulnerabilities is crucial to protect users and maintain the integrity of web applications, including Hostel Management Systems.

After logging into the Admin Account and I was testing the program I was checking the functionality of the admin panel so when I see the Add course option, then clicked on and inject the xss payload and “BOOM”!!!!! all Three Fields are Vulnerable to XSS.

Steps to Reproduce.

1. Go to Hostel Management System Website, login with Admin credentials, click on the course section then click on Add course option

2. After that inject the XSS payload in all Three fields.

3. Then the XSS payload was triggered and pop-up will come up.

I requested for CVE Id for this vulnerability from https://cveform.mitre.org and a few weeks later I received mail that my request was approved this way I got assigned CVE-2023–36376.

Special Thanks to my mentors Rohit Gautam sir and Shifa Cyclewala ma’am.❤🤗

Thank you so much for reading. 🤗

My LinkedIn ID: https://www.linkedin.com/in/ridhesh-gohil