CVE-2024-51430

Vulnerability Type

Cross-Site Scripting (XSS)

Description

Cross Site Scripting vulnerability in online diagnostic lab management system using php v.1.0 allows a remote attacker to execute arbitrary code via the Test Name parameter on the diagnostic/add-test.php component

Vendor of Product

Sourcecodester

Affected Product Code Base:

https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html - 1.0

Affected Component:

The "Test Name" parameter on the diagnostic/add-test.php page is vulnerable.

Attack Vectors:

The Online Diagnostic Lab Management System has a security problem called Cross-Site Scripting (XSS) in the Borrower section. This happens because the system doesn t clean user inputs properly, allowing harmful JavaScript code to be added. For example, if someone enters <script>alert(1)</script> in the "Test Name" field, the system stores this code. When the "Manage Test" section is revisited, the code runs and shows an alert message. This could allow attackers to steal information or take unauthorized actions in the user's browser.

Steps to Reproduce:

1. Open the Online Diagnostic Lab Management System on your computer.
2. Log in to the application with the provided credentials.
3. Go to the "Test" submenu and click on "Add Test."
4. Fill in the "Test Name" field with the XSS payload which is "<script>alert(1)</script>".
5. Once Submitted, Click on the "Manage Test", and you will see the JavaScript alert pop-up on the page.

Reference:

1. https://www.sourcecodester.com/
2. https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)