Headline
CVE-2022-37253: Crime Reporting System 1.0 Cross Site Scripting ≈ Packet Storm
Persistent cross-site scripting (XSS) in Crime Reporting System 1.0 allows a remote attacker to introduce arbitary Javascript via manipulation of an unsanitized POST parameter
# Exploit Title: Crime reporting system - Stored cross-site scripting (XSS)# Date: 29/07/2022# Exploit Author: Eslam Reda# Vendor Homepage: https://sourcecodehero.com/crime-reporting-system-project-in-php-with-source-code/# Software Link: https://sourcecodehero.com//wp-content/uploads/2022/03/Crime-Reporting-System-Project-in-PHP-with-source-code.zip# Version: v1.0# Tested on: Linux/Windows1. Login to the application "the default credentials are username:jude - password:12345", go to add users "/admin/a_users.php".2. Fill in the form with valid information.3. Intercept the traffic with a proxy and add the payload (<script>alert(9)</script>)) in the surname field.4. Payload will be stored and executed when visiting "/admin/v_users.php"