Home Lost and Found Information System- Multiple stored XSS
Post
Cancel

Lost and Found Information System- Multiple stored XSS

Posted Jul 29, 2023
By Aftab Shaikh
1 min read

CVE-2023-36159

Exploit: Lost and Found Information System- Multiple stored XSS

Date: 13/6/2023

Exploit Author: Aftab Shaikh - Cryptex

Vendor Homepage:https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html

Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip

Version: 1.0

Tested on: XAMPP Debian Server 8.2.4-0 Apache/2.4.57 10.11.3-MariaDB PHP 8.2.5

Technical Details & POC

XSS 1

1
2
3
4
5
6

1. Go to http://localhost/php-lfis/admin/login.php
2. Log in to the Dashboard using the provided credentials.
3. Click on "Users."
4. Click on "Create New."
5. Insert the XSS payload `<script>alert(1)</script>` into the "First Name" field.
6. Click "Save User Details."

XSS 2

1
2
3
4
5
6

1. Go to http://localhost/php-lfis/admin/login.php
2. Log in to the Dashboard using the provided credentials.
3. Click on "Users."
4. Click on "Create New."
5. Insert the XSS payload `<script>alert(1)</script>` into the "Middle Name" field.
6. Click "Save User Details."

XSS 3

1
2
3
4
5
6

1. Go to http://localhost/php-lfis/admin/login.php
2. Log in to the Dashboard using the provided credentials.
3. Click on "Users."
4. Click on "Create New."
5. Insert the XSS payload `<script>alert(1)</script>` into the "Last Name" field.
6. Click "Save User Details."
CVE Attacks, Lost and Found Information System- Multiple stored XSS
CVE OWASP 10 web app
This post is licensed under CC BY 4.0 by the author.
Contents