Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-46096: z-vulnerabilitys/covid-19-vaccination2.md at main · Frank-Z7/z-vulnerabilitys

A Cross site scripting (XSS) vulnerability in Sourcecodester Online Covid-19 Directory on Vaccination System v1.0 allows attackers to execute arbitrary code via the txtfullname parameter or txtphone parameter to register.php without logging in.

CVE
Open in Source
#xss#vulnerability#php

Vulnerability Description

Cross site scripting (XSS) vulnerability in Sourcecodester Online Covid-19 Directory on Vaccination System v1.0 by Walterjnr1, allows attackers to execute arbitrary code via the txtfullname parameter or txtphone parameter to register.php without logging in.

payload:"><script>alert(1)</script>****POC:

We found that the source program did not check the txtfullname parameter and txtphone parameterfor echo at this location, and there was a Cross-Site Scripting (XSS) vulnerability.

We execute payload on the /covid-19-vaccination/register.php page.

We can see that the system successfully executes the <script>alert(1)</script> command of the attacker.

Proof:

XSS attacks by using the txtfullname parameter:

XSS attacks by using the txtphone parameter:

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE