Forma LMS 2.3 – ‘First & Last Name’ Stored Cross-Site Scripting

Exploit Database
114 阅读

作者： Hemant Patidar

日期： 2020-12-04
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/49197/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

# Exploit Title: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting

# Date: 04-12-2020

# Exploit Author: Hemant Patidar (HemantSolo)

# Vendor Homepage: https://www.formalms.org/download.html

# Software Link: https://www.formalms.org/

# Version: 2.3

# Tested on: Windows 10/Kali Linux

Steps-To-Reproduce:

1. Go to the Forma LMS and login to your account.

2. Now go to the User Profile.

3. Now Edit the profile.

4. Put the below payload in first and last name:

"<script>alert(document.cookie)</script>"

5. Now click on Save button.

6. The XSS will be triggered.