XSS vulnerability from Sourcecodester QR Code Bookmark System 1.0 (update-bookmark.php)
CVE-2024-8154
A vulnerability classified as problematic has been found in SourceCodester QR Code Bookmark System 1.0. Affected is an unknown function of the file /endpoint/update-bookmark.php of the component Parameter Handler. The manipulation of the argument tbl_bookmark_id/name/url leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Affected Project: QR Code Bookmark System 1.0
Official Website: https://www.sourcecodester.com/php/17286/qr-code-bookmark-system-using-php-and-mysql-source-code.html
Version: 1.0
Related Code file: update-bookmark.php
Injection parameter: tbl_bookmark_id, name, url
Vulnerability Description
The tbl_bookmark_id, name, url parameters are vulnerable to the tested XSS payload: %3cIMG%20%22%22%22%3e%3cSCRIPT%3ealert(%22XSS%22)%3c%2fSCRIPT%3e%22%3e
. This string is encoded and when decoded, it attempts to inject a script into the webpage:
<IMG """"><SCRIPT>alert("XSS")</SCRIPT>">
Application does not properly sanitize or validate the input, this script could be executed in the user’s browser, leading to an XSS attack.
Demonstration
Below is how QR Code Bookmark System looks like:
We can update bookmark as such:
Intercept the update(update-bookmark.php) traffic using Burp Suite and inject the following payload:
Payload used above is HTML encoded and decodes as <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
Upon sending the modifying traffic containing XSS payload, we can verify the vulnerability: