Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Student Attendance Management System has a storage XSS vulnerability #3

Closed
huclilu opened this issue Nov 17, 2022 · 0 comments
Closed

Comments

@huclilu
Copy link

huclilu commented Nov 17, 2022

Build environment: Aapche2.4.39; MySQL5.7.26; PHP7.3.4

input admin@mail.com / Password@123 Log in to the background. At manage classes, click create class, enter xsspayload:<script>alert ("ace")</script>, and click save。

and then refresh the interface to pop up

createClass.php:

After clicking save, the className is substituted into the input for query. If it does not exist, the className will be reinserted into the database. Because the script is not escaped from html, the XSS vulnerability is caused

@huclilu huclilu closed this as completed Nov 18, 2022
@huclilu huclilu reopened this Nov 18, 2022
@huclilu huclilu closed this as completed Nov 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant