Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Vulnerability Description

Cross site scripting (XSS) vulnerability in Sourcecodester Online Covid-19 Directory on Vaccination System v1.0 by Walterjnr1, allows attackers to execute arbitrary code via the txtfullname parameter or txtphone parameter to register.php without logging in.

payload:"><script>alert(1)</script>

POC:

We found that the source program did not check the txtfullname parameter and txtphone parameterfor echo at this location, and there was a Cross-Site Scripting (XSS) vulnerability.

1

1

We execute payload on the /covid-19-vaccination/register.php page.

1

We can see that the system successfully executes the <script>alert(1)</script> command of the attacker.

1

1

Proof:

XSS attacks by using the txtfullname parameter:

xss1

XSS attacks by using the txtphone parameter:

23