CVE-2021-42662 - Stored Cross-Site Scripting vulnerability in the Online event booking and reservation system version 2.3.0.
A stored XSS vulnerability exists in the Event management software version 2.3.0. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more.
Affected components -
Vulnerable page - HOLY
Vulnerable parameter - "reason"
- Navigate to http://localhost/event-management/views/?v=HOLY
- Insert your payload in the "reason" parameter
- Click "Add holiday"
The following payload will allow you to run the javascript code -
<script>alert("This is an XSS")</alert>
https://www.exploit-db.com/exploits/50450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42662
https://nvd.nist.gov/vuln/detail/CVE-2021-42662
Alon Leviev(0xDeku), 22 October, 2021.