CVE-2024-6807
Details
Attack type: Cross Site Scripting
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vendor: SourceCodester
Product: Student Study Center Desk Management System
Affected components: /sscdms/classes/Users.php?f=save
XSS injection parameters: firstname
, middlename
, lastname
, username
POC
Click on Create New
.
Intercept the request using Burpsuite Proxy.
Change the firstname
parameter to the following:
<script>print();</script>
Send the request and reload the page.