来源

关联漏洞

介绍

# CVE-2024-51430

### Vulnerability Type
Cross-Site Scripting (XSS)

### Description
Cross Site Scripting vulnerability in online diagnostic lab management system using php v.1.0 allows a remote attacker to execute arbitrary code via the Test Name parameter on the diagnostic/add-test.php component

### Vendor of Product
Sourcecodester

### Affected Product Code Base: 
https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html - 1.0

### Affected Component: 
The "Test Name" parameter on the diagnostic/add-test.php page is vulnerable.

### Attack Vectors:
The Online Diagnostic Lab Management System has a security problem called Cross-Site Scripting (XSS) in the Borrower section. This happens because the system doesn   t clean user inputs properly, allowing harmful JavaScript code to be added. For example, if someone enters `<script>alert(1)</script>` in the "Test Name" field, the system stores this code. When the "Manage Test" section is revisited, the code runs and shows an alert message. This could allow attackers to steal information or take unauthorized actions in the user's browser.

### Steps to Reproduce:
1. Open the Online Diagnostic Lab Management System on your computer.
2. Log in to the application with the provided credentials.
3. Go to the "Test" submenu and click  on "Add Test."
4. Fill in the "Test Name" field with the XSS payload which is "<script>alert(1)</script>".
5. Once Submitted, Click on the "Manage Test", and you will see the JavaScript alert pop-up on the page.

### Reference: 
1. https://www.sourcecodester.com/
2. https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

文件快照

 [4.0K]  /data/pocs/957f29e429649ce8fada63e81f1c915e5b50a9bf
└── [1.7K]  README.md

0 directories, 1 file

备注