Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Vulnerability Description

Covid-19 Directory on Vaccination System v1.0 was discovered to contain a Cross-Site Scripting (XSS) vulnerability via the verification.php.Because the program does not verify the txtvaccinationID parameter, it allows us to use this parameter for XSS attacks without logging in. The system will accurately store and retrieve information about covid-19 vaccination and it is an open source project on https://www.sourcecodester.com/.

payload:"><script>alert(1)</script>

Browser: Mircosoft Edge (Note that in order to properly restore the attack process, the xss filter cannot be enabled on the attacker's browser)

POC:

We found that the source program did not check the txtvaccinationID for echo at this location, and there was a Cross-Site Scripting (XSS) vulnerability.

1

We execute payload on the /covid-19-vaccination/verification.php page.

1

Attackers can execute any Web script or command with an elaborate payload that injects the txtvaccinationID parameter.

It is important to note that verification.php is a page for vaccinators to query vaccination result information, so attackers do not need to log in their accounts to carry out XSS attacks and compromise system security.

1

We can see that the system successfully executes the <script>alert(1)</script> command of the attacker.

1