CVE-2024-7948

XSS vulnerability from Sourcecodester Accounts Manager App 1.0 (update-account.php)

CVE-2024-7948

A vulnerability classified as problematic was found in SourceCodester Accounts Manager App 1.0. This vulnerability affects unknown code of the file update-account.php of the component Update Account Page. The manipulation of the argument Account Name/Username/Password/Link leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Affected Project: Accounts Manager App 1.0

Official Website: https://www.sourcecodester.com/php/17510/leads-manager-tool-using-php-and-mysql-source-code.html

Version: 1.0

Related Code file: update-account.php

Injection parameter: account_name, tbl_account_id, username, password, link

Vulnerability Description

All parameters at update-account.php are vulnerable to the tested XSS payload: %3cIMG%20%22%22%22%3e%3cSCRIPT%3ealert(%22XSS%22)%3c%2fSCRIPT%3e%22%3e. This string is encoded and when decoded, it attempts to inject a script into the webpage: <IMG """"><SCRIPT>alert("XSS")</SCRIPT>">

Application does not properly sanitize or validate the input, this script could be executed in the user’s browser, leading to an XSS attack.

Analysis

echo "
<script>
    alert('Account Updated Successfully');
    window.location.href = 'http://localhost/account-manager-app/index.php';
</script>
";

If any of the values being displayed in the alert() function or used in the URL were derived from user input, and those inputs were not properly sanitized, a malicious user could inject JavaScript code into these fields.

Demonstration

Below is how Account Manager App looks like:

We can update account as such:

Fill in the forms with the following payload:

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

After saving changes, we can verify XSS vulnerability: