/CVE-2024-34224

CVE-2024-34224 | Cross Site Scripting

Computer Laboratory Management System using PHP and MySQL 1.0

Submitter: Kha Do

Vulnerability

Cross Site Scripting

Description

Cross Site Scripting vulnerability in /php-lms/classes/Users.php?f=save in Computer Laboratory Management System using PHP and MySQL 1.0 allow remote attackers to inject arbitrary web script or HTML via the firstname, middlename, lastname parameters.

Affected component

Path URL: /php-lms/classes/Users.php?f=save

Parameters: firstname, middlename, lastname

POC

Input payload <script>alert(123)</script> into firstname parameter and save it. Firstname

After saving, the pop-up windows like will appear: Firstname_Popup