Skip to content

RashidKhanPathan/CVE-2022-43117

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

[Suggested description] Sourcecodester Password Storage Application in PHP/OOP and MySQL 1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Name, Username, Description and Site Feature parameters.


[Additional Information] Proof Of Concept: https://drive.google.com/file/d/1ZmAuKMVzUpL8pt5KXQJk8IyPECoVP9xw/view?usp=sharing Vendor Homepage: https://www.sourcecodester.com/php/15726/password-storage-application-phpoop-and-mysql-free-source-code.html Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/psa_php.zip


[Vulnerability Type] Cross Site Scripting (XSS)


[Vendor of Product] Sourcecodester


[Affected Product Code Base] Password Storage Application in PHP/OOP and MySQL - 1.0


[Affected Component] Source Code


[Attack Type] Remote


[Impact Code execution] true


[Attack Vectors] to Exploit this vulnerability attacker need to first create his account on http://localhost/psa_php/owner_registration.php, then login with created password after login, attacker need to inject arbitrary JavaScript code inside Name, Username, Description and Site field, and then click on save, once attacker clicks on save button the arbitrary JavaScript Payload will Execute


[Reference] https://www.sourcecodester.com/php/15726/password-storage-application-phpoop-and-mysql-free-source-code.html https://drive.google.com/file/d/1ZmAuKMVzUpL8pt5KXQJk8IyPECoVP9xw/view?usp=sharing


[Discoverer] RashidKhan Pathan

Use CVE-2022-43117

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published