Money Transfer Management System 1.0 - DOM-Based XSS

Summary

NameMoney Transfer Management System - DOM-Based XSS
Code nameCharles
ProductMoney Transfer Management System
Affected versionsVersion 1.0
StatePublic
Release date2022-03-15

Vulnerability

KindDOM-Based Cross-Site Scripting (XSS)
Rule371. DOM-Based Cross-Site Scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSSv3 Base Score4.3
Exploit availableNo
CVE ID(s)CVE-2022-25221

Description

Money Transfer Management System Version 1.0 allows an attacker to inject JavaScript code in the URL and then trick a user into visit the link in order to execute JavaScript code.

Proof of Concept

Steps to reproduce

  1. Send the following URL to a victim http://127.0.0.1/mtms/admin/?page=xss';alert('XSS');//

  2. If a victim visits the link the JavaScript code will be triggered.

System Information

  • Version: Money Transfer Management System version 1.0.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: MySQL

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

By 2022-03-15 there is not a patch resolving the issue.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

Timeline

Time-lapse-logo

2022-02-15

Vulnerability discovered.

Time-lapse-logo

2022-02-15

Vendor contacted.

Time-lapse-logo

2022-03-15

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.