Stored XSS Vulnerability in PHP Scripts Mall Entrepreneur Job Portal Script 2.0.9-[CVE-2018-7469]
[+] Credits: Neeraj Kumar
Entrepreneur Job Portal Script 2.0.9
Link to access the Product:
Cross site scripting - Stored XSS
XSS Exploit code(s):
Field Name: Edit Category Name
Parameter Name: p_name
1. Login into the admin site.
2. Goto “Categories - Industry Type".
3. Put <script>alert("document.cookie")</script> in Edit Category Name field. and save it.
4. Access the below pages:
Admin login- (Use below link to inject the XSS payload)
5. You will get the "cookie value" pop up by accessing the below links.
b.Normal User Login-
|Figure (a): Stored XSS on Admin Portal|
Mitre Notification: February 25, 2018
Public Disclosure: February 28, 2018
Impact Code execution:
Impact Information Disclosure:
Request Method(s): [+] POST
Vulnerable Product: [+] PHP Scripts Mall Entrepreneur Job Portal Script 2.0.9
Vulnerable Parameter(s): [+] p_name
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c).