- Vendor Homepage: https://egavilanmedia.com/Expense-Management-System/
- Github: https://github.com/EGavilan-Media/Expense-Management-System
- Version 1.0
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41434
A stored Cross-Site Scripting (XSS) vulnerability exists in version 1.0 of the Expense Management System application by EGavilan Media that allows for arbitrary execution of JavaScript commands.
A Cross-Site Scripting (XSS) attack is a type of malicious script injection on an otherwise harmless and trusted website. XSS attacks occur when an attacker uses a web application to send malicious code, on the browser side, to another end user. Stored XSS attacks are those where the injected script is permanently stored on the target servers. The victim later retrieves the malicious script from the server when it requests the stored information.
- Download, install and run Expense Management System application.
- Visit the following resource
localhost/index.php. - Click on the Add Expense buttom and fill in the form.
- Description:
<script>alert(document.cookie);</script> - Amount: any number
- Date: any date
- Press the Save button and navigate to the page including our added expense.
- The result is that the JavaScript command will runs in the description field.
Discovered by Martin Kubecka, September 18, 2021.