Money Transfer Management System 1.0 - DOM-Based XSS

Summary

NameMoney Transfer Management System - DOM-Based XSS
Code nameCharles
ProductMoney Transfer Management System
Affected versionsVersion 1.0
StatePublic
Release date2022-03-15

Vulnerability

KindDOM-Based Cross-Site Scripting (XSS)
Rule371. DOM-Based Cross-Site Scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSSv3 Base Score4.3
Exploit availableNo
CVE ID(s)CVE-2022-25221

Description

Money Transfer Management System Version 1.0 allows an attacker to inject JavaScript code in the URL and then trick a user into visit the link in order to execute JavaScript code.

Proof of Concept

Steps to reproduce

  1. Send the following URL to a victim http://127.0.0.1/mtms/admin/?page=xss';alert('XSS');//

  2. If a victim visits the link the JavaScript code will be triggered.

System Information

  • Version: Money Transfer Management System version 1.0.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: MySQL

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

By 2022-03-15 there is not a patch resolving the issue.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

Timeline

Time-lapse-logo

2022-02-15

Vulnerability discovered.

Time-lapse-logo

2022-02-15

Vendor contacted.

Time-lapse-logo

2022-03-15

Public Disclosure.