[CVE-2023–36936] XSS Online Security Guards Hiring System.

Discovered by: Ridhesh Gohil.

Vendor Homepage:https://phpgurukul.com/online-security-guards-hiring-system-using-php-and-mysql/

What is XSS?

Cross-Site Scripting (XSS) is a web application vulnerability when an attacker injects malicious scripts into a trusted website. These scripts can be written in various scripting languages, such as JavaScript, and are executed by unsuspecting users’ browsers. XSS attacks can have many negative consequences, including stealing sensitive user information, hijacking user sessions, or defacing websites.

Bug Description:

A cross-site scripting (XSS) vulnerability in Online Security Guards Hiring System allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the search booking number field.

Steps to Reproduce.

1. Go to this URL http://localhost/osghs/index.php then click on the Request Status option.

2. Then in the Search Booking field enter this XSS payload <script>alert(1)</script> and click on search.

3. After that the XSS will pop up.

I requested for CVE Id for this vulnerability from https://cveform.mitre.org and a few weeks later I received mail that my request was approved this way I got assigned CVE-2023–36936.

Special Thanks to my mentors Rohit Gautam sir and Shifa Cyclewala ma’am.❤🤗

Thank you so much for reading. 🤗

My LinkedIn ID: https://www.linkedin.com/in/ridhesh-gohil