[CVE-2023–36942] XSS on Online Fire Reporting System V-1.2
Discovered by: Ridhesh Gohil
Vulnerable Version: V- 1.2
Vendor Homepage: https://phpgurukul.com/online-fire-reporting-system-using-php-and-mysql/
What is XSS?
Cross-Site Scripting (XSS) is a web application vulnerability when an attacker injects malicious scripts into a trusted website. These scripts can be written in various scripting languages, such as JavaScript, and are executed by unsuspecting users’ browsers. XSS attacks can have many negative consequences, including stealing sensitive user information, hijacking user sessions, or defacing websites.
Bug Description:
A cross-site scripting (XSS) vulnerability in the Online Fire Reporting System Using PHP and MySQL allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Title Field.
Steps to Reproduce
- Go to this URL http://localhost/ofrs/admin/dashboard.php then click on Manage Site option
2. After That in the website title field enter this XSS payload <script>alert(1)</script> and click on Update.
3. Then the XSS pop up will come up when ever we open the website
I requested for CVE Id for this vulnerability from https://cveform.mitre.org and a few weeks later I received mail that my request was approved this way I got assigned CVE-2023–36942.
Special Thanks to my mentors Rohit Gautam sir and Shifa Cyclewala ma’am.❤🤗
Thank you so much for reading. 🤗
My LinkedIn ID: https://www.linkedin.com/in/ridhesh-gohil
