[CVE-2023–36940] XSS on Online Fire Reporting System V-1.2

Discovered by: Ridhesh Gohil

Vulnerable Version: V- 1.2

Vendor Homepage: https://phpgurukul.com/online-fire-reporting-system-using-php-and-mysql/

What is XSS?

Cross-Site Scripting (XSS) is a web application vulnerability when an attacker injects malicious scripts into a trusted website. These scripts can be written in various scripting languages, such as JavaScript, and are executed by unsuspecting users’ browsers. XSS attacks can have many negative consequences, including stealing sensitive user information, hijacking user sessions, or defacing websites.

Bug Description:

A cross-site scripting (XSS) vulnerability in Online Fire Reporting System Using PHP and MySQL allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the search booking field.

Steps to Reproduce

1. Go to this URL http://localhost/ofrs/admin/dashboard.php login as admin and then in the Report Section click on Search

2. After that on the search field enter the XSS payload and press the Search

3. Then the XSS pop up will come

I requested for CVE Id for this vulnerability from https://cveform.mitre.org and a few weeks later I received mail that my request was approved this way I got assigned CVE-2023–36940

Special Thanks to my mentors Rohit Gautam sir and Shifa Cyclewala ma’am.❤🤗

Thank you so much for reading. 🤗

My LinkedIn ID: https://www.linkedin.com/in/ridhesh-gohil