Headline
CVE-2023-3381: CVEReport/XSS2.md at main · M9KJ-TEAM/CVEReport
A vulnerability classified as problematic was found in SourceCodester Online School Fees System 1.0. Affected by this vulnerability is an unknown functionality of the file /paysystem/datatable.php of the component GET Parameter Handler. The manipulation of the argument doj leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-232237 was assigned to this vulnerability.
Online School Fees System v1.0 has reflected cross-site scripting
BUG_Author: zhangyf
Website source code address: https://www.sourcecodester.com/php/11708/online-school-fees-system.html
Vulnerability File: /paysystem/datatable.php
GET parameter “doj” exists reflected cross-site scripting vulnerability
Payload: /paysystem/datatable.php?student=1&doj=<script>alert(document.cookie)</script>&type=feesearch
The js code is successfully executed and the cookie value is returned, which proves that there is a reflected cross-site scripting vulnerability.