Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Exploit Title: EGavilanMedia -User Registration and Login System With Admin Panel - Persistent Cross-Site Scripting

Date: 19-11-2020

Exploit Author: Hemant Patidar (HemantSolo)

Vendor Homepage: http://egavilanmedia.com/

Software Link: http://egavilanmedia.com/user-registration-and-login-system-with-admin-panel/

Version: 1.0

Tested on: Windows 10/Kali Linux

Contact: https://www.linkedin.com/in/hemantsolo/

Stored Cross-site scripting(XSS):

Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.

Attack vector:

This vulnerability can results attacker inject the XSS payload in the User Registration section and each time when he will go to the dashboard, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload and can do malicious activities with the server.

Vulnerable Parameters: First Name, Last Name

Steps-to-reproduce:

  1. Go to the user Registration page.
  2. Fill all the details and put this payload in Full Name "hemantsolo">" alt text
  3. Now login your account and the payload will execute. alt text