Money Transfer Management System 1.0 - DOM-Based XSS
4,3
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Money Transfer Management System - DOM-Based XSS
Code name
State
Public
Release date
15 de mar. de 2022
Affected product
Money Transfer Management System
Affected version(s)
Version 1.0
Vulnerability name
DOM-Based Cross-Site Scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS v3.1 base score
4.3
Exploit available
No
CVE ID(s)
Description
Money Transfer Management System Version 1.0 allows an attacker to inject JavaScript code in the URL and then trick a user into visit the link in order to execute JavaScript code.
Proof of Concept
Steps to reproduce
Send the following URL to a victim
http://127.0.0.1/mtms/admin/?page=xss';alert('XSS');//If a victim visits the link the JavaScript code will be triggered.
System Information
Version: Money Transfer Management System version 1.0.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: MySQL
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-03-15 there is not a patch resolving the issue.
References
Timeline
Vulnerability discovered
15 de fev. de 2022
Vendor contacted
15 de fev. de 2022
Public disclosure
15 de mar. de 2022
