Customer Support System 1.0 Cross Site Scripting
- Customer Support System 1.0 Cross Site Scripting
- Posted Jul 1, 2024
- Authored by Geraldo Alcantara
-
Customer Support System version 1.0 suffers from a persistent cross site scripting vulnerability. Original discovery of cross site scripting in this version is attributed to Ahmed Abba in November of 2020.
- advisories | CVE-2023-49976
- SHA-256 |
bd3b1262bfab66821d2e542deeae55703ce8c3dbcbfb3a2f3bb1adec4b3fdef0 - Download | Favorite | View
# Exploit Title: Customer Support System 1.0 - (XSS) Cross-Site Scripting Vulnerability in the "subject" at "ticket_list"
# Date: 28/11/2023
# Exploit Author: Geraldo Alcantara
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2023-49976
*Steps to reproduce:*
1- Log in to the application.
2- Visit the ticket creation/editing page.
3- Create/Edit a ticket and insert the malicious payload into the
"subject" field/parameter.
Payload: <dt/><b/><script>alert(document.domain)</script>