关联漏洞
介绍
# CVE-2024-51430
### Vulnerability Type
Cross-Site Scripting (XSS)
### Description
Cross Site Scripting vulnerability in online diagnostic lab management system using php v.1.0 allows a remote attacker to execute arbitrary code via the Test Name parameter on the diagnostic/add-test.php component
### Vendor of Product
Sourcecodester
### Affected Product Code Base:
https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html - 1.0
### Affected Component:
The "Test Name" parameter on the diagnostic/add-test.php page is vulnerable.
### Attack Vectors:
The Online Diagnostic Lab Management System has a security problem called Cross-Site Scripting (XSS) in the Borrower section. This happens because the system doesn t clean user inputs properly, allowing harmful JavaScript code to be added. For example, if someone enters `<script>alert(1)</script>` in the "Test Name" field, the system stores this code. When the "Manage Test" section is revisited, the code runs and shows an alert message. This could allow attackers to steal information or take unauthorized actions in the user's browser.
### Steps to Reproduce:
1. Open the Online Diagnostic Lab Management System on your computer.
2. Log in to the application with the provided credentials.
3. Go to the "Test" submenu and click on "Add Test."
4. Fill in the "Test Name" field with the XSS payload which is "<script>alert(1)</script>".
5. Once Submitted, Click on the "Manage Test", and you will see the JavaScript alert pop-up on the page.
### Reference:
1. https://www.sourcecodester.com/
2. https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
文件快照
[4.0K] /data/pocs/957f29e429649ce8fada63e81f1c915e5b50a9bf
└── [1.7K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。