Headline
CVE-2022-3587: POC/Stored XSS at main · rsrahulsingh05/POC
A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component My Account. The manipulation of the argument First Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-211201 was assigned to this vulnerability.
# Exploit Title: Simple Cold Storage Management System v1.0 - Stored XSS in “First Name”
# Exploit Author: Rahul Singh
# Vendor Name: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html
# Software Link: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html
# Version: v1.0
# Tested on: Windows 10, Apache
Description : A Stored XSS in Simple Cold Storage Management System v1.0 allows an attacker to input arbitrary javascript code into those vulnerable parameters
Vulnerable Parameters:
First Name
Steps:
Login into account
Go to My Account
Now in Parameters “First Name” put your payload
Payload: <script>alert(1)</script>
Now save the user and our Java script payload will be stored.
As the payload has been stored in the database, the alert will trigger everytime user will go to My account page.