Money Transfer Management System 1.0 - DOM-Based XSS
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Money Transfer Management System - DOM-Based XSS
Code name
State
Public
Release date
15 mar 2022
Affected product
Money Transfer Management System
Affected version(s)
Version 1.0
Vulnerability name
DOM-Based Cross-Site Scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS v3.1 base score
4.3
Exploit available
No
CVE ID(s)
Description
Money Transfer Management System Version 1.0 allows an attacker to inject JavaScript code in the URL and then trick a user into visit the link in order to execute JavaScript code.
Proof of Concept
Steps to reproduce
Send the following URL to a victim
http://127.0.0.1/mtms/admin/?page=xss';alert('XSS');//If a victim visits the link the JavaScript code will be triggered.
System Information
Version: Money Transfer Management System version 1.0.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: MySQL
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-03-15 there is not a patch resolving the issue.
References
Timeline
15 feb 2022
Vulnerability discovered
15 feb 2022
Vendor contacted
15 mar 2022
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
