XSS vulnerability from phpgurukul IFSC Code Finder 1.0 (search.php)

CVE-2024-10192

A vulnerability has been found in PHPGurukul IFSC Code Finder Project 1.0 and classified as problematic. This vulnerability affects an unknown function of the file search.php. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity.

Affected Project: IFSC Code Finder 1.0

Official Website: https://phpgurukul.com/ifsc-code-finder-project-using-php/

Version: 1.0

Related Code file: search.php

Vulnerability Description

search.php is vulnerable to the tested XSS payload: %3cIMG%20%22%22%22%3e%3cSCRIPT%3ealert(%22XSS%22)%3c%2fSCRIPT%3e%22%3e. This string is encoded and when decoded, it attempts to inject a script into the webpage: <IMG """"><SCRIPT>alert("XSS")</SCRIPT>">.

Application does not properly sanitize or validate the searchifsccode input, this script could be executed in the user’s browser, leading to an XSS attack.

Demonstration

Below is how search.php looks like:

Screenshot from 2024-10-19 13-47-56

Let’s search with the payload: <IMG """"><SCRIPT>alert("XSS")</SCRIPT>">

Screenshot from 2024-10-19 13-48-03

XSS is triggered:

👨‍💻👾👨‍💻👾👨‍💻👾

Explorer

CVE-2024-10192

XSS vulnerability from phpgurukul IFSC Code Finder 1.0 (search.php)

CVE-2024-10192

Vulnerability Description

Demonstration

Graph View

Table of Contents

Backlinks