Headline
CVE-2022-4053: Student Attendance Management System has a storage XSS vulnerability · Issue #3 · rickxy/Student-Attendance-Management-System
A vulnerability was found in Student Attendance Management System. It has been classified as problematic. Affected is an unknown function of the file createClass.php. The manipulation of the argument className leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-213846 is the identifier assigned to this vulnerability.
Build environment: Aapche2.4.39; MySQL5.7.26; PHP7.3.4
input [email protected] / Password@123 Log in to the background. At manage classes, click create class, enter xsspayload:<script>alert (“ace”)</script>, and click save。
and then refresh the interface to pop up
createClass.php:
After clicking save, the className is substituted into the input for query. If it does not exist, the className will be reinserted into the database. Because the script is not escaped from html, the XSS vulnerability is caused