Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-43117 PoC — Password Storage Application 跨站脚本漏洞

Source
https://github.com/RashidKhanPathan/CVE-2022-43117
Associated Vulnerability
Title:Password Storage Application 跨站脚本漏洞 (CVE-2022-43117)
Description:Password Storage Application是Carlo Montero个人开发者的一个密码存储应用。 Password Storage Application 1.0版本存在安全漏洞,该漏洞源于其密码存储应用程序允许攻击者通过Name、Username、Description和Site Feature参数实现多个跨站脚本。
Readme
> [Suggested description]
> Sourcecodester Password Storage Application in PHP/OOP and MySQL 1.0
> was discovered to contain multiple cross-site scripting (XSS)
> vulnerabilities via the Name, Username, Description and Site Feature
> parameters.
>
> ------------------------------------------
>
> [Additional Information]
> Proof Of Concept: https://drive.google.com/file/d/1ZmAuKMVzUpL8pt5KXQJk8IyPECoVP9xw/view?usp=sharing
> Vendor Homepage: https://www.sourcecodester.com/php/15726/password-storage-application-phpoop-and-mysql-free-source-code.html
> Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/psa_php.zip
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Sourcecodester
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Password Storage Application in PHP/OOP and MySQL - 1.0
>
> ------------------------------------------
>
> [Affected Component]
> Source Code
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> to Exploit this vulnerability attacker need to first create his account on http://localhost/psa_php/owner_registration.php, then login with created password after login, attacker need to inject arbitrary JavaScript code inside Name, Username, Description and Site field, and then click on save, once attacker clicks on save button the arbitrary JavaScript Payload will Execute
>
> ------------------------------------------
>
> [Reference]
> https://www.sourcecodester.com/php/15726/password-storage-application-phpoop-and-mysql-free-source-code.html
> https://drive.google.com/file/d/1ZmAuKMVzUpL8pt5KXQJk8IyPECoVP9xw/view?usp=sharing
>
> ------------------------------------------
>
> [Discoverer]
> RashidKhan Pathan

Use CVE-2022-43117
File Snapshot

 [4.0K]  /data/pocs/22bf5db2e935e2096f47bbc6fc5eeea162ecc3b7
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.