Headline
CVE-2022-32987: Simple Bakery Shop Management System in PHP MySQL
Multiple cross-site scripting (XSS) vulnerabilities in /bsms/?page=manage_account of Simple Bakery Shop Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username or Full Name fields.
# Description:
The Bakery Shop Management System is a simple web-based application platform for bakery shops that
can help them to manage their stocks and day-to-day transaction with their customers.
# Vulnerability Name: Cross site scripting (XSS) in Simple Bakery Shop Management System
# Vulnerable URL: http://localhost/bsms/?page=manage_account
# Parameters Vulnerable: Full Name, Username
# Payload Used: "><script>alert(“XSS”)</script>
# Steps to reproduce:
1. Login with admin credential.
2. Navigate to 'Manage Account’.
3. Insert XSS payloads in input fields ‘Full Name’ and 'Username’.
4. Click on Update.
5. XSS payloads trigger automatically while user visits this page again.
# References
Vendor URL: https://www.campcodes.com/
Software URL: https://www.campcodes.com/projects/php/simple-bakery-shop-management-system/