Forma LMS 2.3 – ‘First & Last Name’ Stored Cross-Site Scripting

• Exploit Database
• 18 阅读

• 作者： Hemant Patidar
  日期： 2020-12-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49197/

• # Exploit Title: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting 
  # Date: 04-12-2020
  # Exploit Author: Hemant Patidar (HemantSolo)
  # Vendor Homepage: https://www.formalms.org/download.html
  # Software Link: https://www.formalms.org/
  # Version: 2.3
  # Tested on: Windows 10/Kali Linux
  
  Steps-To-Reproduce:
  1. Go to the Forma LMS and login to your account.
  2. Now go to the User Profile.
  3. Now Edit the profile.
  4. Put the below payload in first and last name:
  "<script>alert(document.cookie)</script>"
  5. Now click on Save button.
  6. The XSS will be triggered.