CVE-2024-6807

 

Details

Attack type: Cross Site Scripting

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vendor: SourceCodester

Product: Student Study Center Desk Management System

Affected components: /sscdms/classes/Users.php?f=save

XSS injection parameters: firstname, middlename, lastname, username

 

POC

Click on Create New.

Intercept the request using Burpsuite Proxy.

Change the firstname parameter to the following:

<script>print();</script>

Send the request and reload the page.