Customer Support System 1.0 – Stored XSS

  • 作者: Geraldo Alcantara
    日期: 2024-07-01
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/52057/
  • # Exploit Title:Customer Support System 1.0 - (XSS) Cross-Site
    Scripting Vulnerability in the "subject" at "ticket_list"
    # Date: 28/11/2023
    # Exploit Author: Geraldo Alcantara
    # Vendor Homepage:
    https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
    # Software Link:
    https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
    # Version: 1.0
    # Tested on: Windows
    # CVE : CVE-2023-49976
    *Steps to reproduce:*
    1- Log in to the application.
    2- Visit the ticket creation/editing page.
    3- Create/Edit a ticket and insert the malicious payload into the
    "subject" field/parameter.
    Payload: <dt/><b/><script>alert(document.domain)</script>