Alumni Management System version 1.0 suffers from a persistent cross site scripting vulnerability.
fd2e5fb6a7e13e52e74f22c818d7fc27235bef8e92fc5eb59244cac165226f67# Exploit Title: Stored XSS on Alumni Management System
# Date: 23/10/2020
# Exploit Author: Valerio Alessandroni
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-s ource-code.html
# Version: 1.0
# Tested on: ubuntu 18.04
# CVE : CVE-2020-28071
# Description:
An attacker after the admin authentication, can upload an image in the gallery, using a XSS payload in the description textarea called "about" and reach a stored XSS.
# Reproduction:
- Login as "admin"
- upload an image in the gallery area in the administration panel injecting Javascript code in the textarea called "about"
- The obtained XSS affects the administration panel (ex: http://127.0.0.1/admin/index.php?page=gallery) and
the public gallery (ex: http://127.0.0.1/index.php?page=gallery)
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed