Headline
Customer Support System 1.0 Cross Site Scripting
Customer Support System version 1.0 suffers from a persistent cross site scripting vulnerability. Original discovery of cross site scripting in this version is attributed to Ahmed Abba in November of 2020.
# Exploit Title: Customer Support System 1.0 - (XSS) Cross-Site Scripting Vulnerability in the "subject" at "ticket_list"# Date: 28/11/2023# Exploit Author: Geraldo Alcantara# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code# Version: 1.0# Tested on: Windows# CVE : CVE-2023-49976*Steps to reproduce:*1- Log in to the application.2- Visit the ticket creation/editing page.3- Create/Edit a ticket and insert the malicious payload into the"subject" field/parameter.Payload: <dt/><b/><script>alert(document.domain)</script>