Headline
CVE-2022-3997: Open source software scm has a storage type cross site script attack vulnerability · Issue #2 · MonikaBrzica/scm
A vulnerability, which was classified as critical, has been found in MonikaBrzica scm. Affected by this issue is some unknown functionality of the file upis_u_bazu.php. The manipulation of the argument email/lozinka/ime/id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-213698 is the identifier assigned to this vulnerability.
Open source software scm has a storage type cross site script attack vulnerability
Build environment: Aapche2.4.39; MySQL5.7.26; PHP7.3.4
In uredi_ Korisnika.php file, line 42 - line 50,
The information entered by the user is directly requested by post without filtering
upis_ u_ bazu.php
The parameters of the post request are assigned to the corresponding variables from line 136 to line 141, and then the information is brought into the database for update. The updated data is stored in the database, causing a storage XSS vulnerability
Enter the xss code in the input box
Then the javascript code executes