XSS vulnerability from Sourcecodester Accounts Manager App 1.0 (update-account.php)
CVE-2024-7948
A vulnerability classified as problematic was found in SourceCodester Accounts Manager App 1.0. This vulnerability affects unknown code of the file update-account.php of the component Update Account Page. The manipulation of the argument Account Name/Username/Password/Link leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Affected Project: Accounts Manager App 1.0
Official Website: https://www.sourcecodester.com/php/17510/leads-manager-tool-using-php-and-mysql-source-code.html
Version: 1.0
Related Code file: update-account.php
Injection parameter: account_name, tbl_account_id, username, password, link
Vulnerability Description
All parameters at update-account.php are vulnerable to the tested XSS payload: %3cIMG%20%22%22%22%3e%3cSCRIPT%3ealert(%22XSS%22)%3c%2fSCRIPT%3e%22%3e
. This string is encoded and when decoded, it attempts to inject a script into the webpage:
<IMG """"><SCRIPT>alert("XSS")</SCRIPT>">
Application does not properly sanitize or validate the input, this script could be executed in the user’s browser, leading to an XSS attack.
Analysis
If any of the values being displayed in the alert() function or used in the URL were derived from user input, and those inputs were not properly sanitized, a malicious user could inject JavaScript code into these fields.
Demonstration
Below is how Account Manager App looks like:
We can update account as such:
Fill in the forms with the following payload:
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
After saving changes, we can verify XSS vulnerability: