Headline
CVE-2023-38969: Badaso version 2.9.7 has an XSS vulnerability in add books
Cross Site Scripting vulnerabiltiy in Badaso v.2.9.7 allows a remote attacker to execute arbitrary code via a crafted payload to the title parameter in the new book and edit book function.
****Vendor Homepage:****
Badaso - Open Collective
****Version:****
2.9.7
****Tested On:****
Marcos, review source code
****Affected Page:****
https://badaso-demo.uatech.co.id/dashboard/general/borrowing/add
https://badaso-demo.uatech.co.id/dashboard/general/borrowing/1/edit
****Description:****
A vulnerability XSS injection was found in Badaso v2.9.7. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user’s browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more
****Proof of Concept:****
Login and Access to function add Books.
Inject payload XSS alert 1 to the Title of book parameter and submit it.
"' test <img src="" onerror="alert(5)">Go to Borrowing and add a new Borrowing or edit Borrowing then malicious is executed.