Skip to content

Latest commit

 

History

History
44 lines (31 loc) · 2.59 KB

CVE-2024-24134.md

File metadata and controls

44 lines (31 loc) · 2.59 KB

CVE-2024-24134 : Online Food Menu - Cross-Site-Scripting

References:

Description:

The 'Menu Name' and 'Description' fields in the Update Menu section of localhost/food-menu/admin.php are vulnerable to cross-site scripting. An attacker could exploit this issue to run arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Proof of Concept:

  • Go to localhost/food-menu/admin.php You will see the previously saved data (menus).
  • To update a random data (one of the menus), select 'Update Menu' A window will appear.
  • Enter the following payload in the 'Menu Name' field: <video/src=x onerror=alert(document.domain)>
  • XSS will be triggered as soon as you press the Save Changes button.
  • Select a random data (one of the menus) again, select the 'Update Menu' option and enter the following payload in the 'Description' section of the window that appears: <video/src=x onerror=alert(document.cookie)>
  • XSS will be triggered as soon as you press the Save Changes button.

Menu Name

Ekran görüntüsü 2024-01-12 021626 Ekran görüntüsü 2024-01-12 021645

Description

Ekran görüntüsü 2024-01-12 021737 Ekran görüntüsü 2024-01-12 021751