Online Blood Donation Management System v1.0 - Stored Cross-Site Scripting (XSS)
6,1
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Online Blood Donation Management System v1.0 - Stored Cross-Site Scripting (XSS)
Code name
State
Public
Release date
27 de out. de 2023
Affected product
Online Blood Donation Management System
Vendor
Projectworlds Pvt. Limited
Affected version(s)
Version 1.0
Vulnerability name
Stored Cross-Site Scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.0 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v3.0 base score
6.1
Exploit available
Yes
CVE ID(s)
Description
Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php response. The vulnerable code is:
users/register.php:
users/DBConnect.php:
users/member.php:
layout/_member_layout.php:
Our security policy
We have reserved the ID CVE-2023-44484 to refer to this issue from now on.
System Information
Version: Online Blood Donation Management System v1.0
Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://projectworlds.in/
Timeline
Vulnerability discovered
29 de set. de 2023
Vendor contacted
29 de set. de 2023
Public disclosure
27 de out. de 2023
