PHP Scripts Mall PHP Appointment Booking Script has HTML injection via an edit my profile: [CVE-2019-9066]


Vulnerability Description =>HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.





↓ ↓ ↓ ↓ How to Exploit ↓ ↓ ↓ ↓





1. Go to the PHP Appointment Booking Script site (http://phpscriptsmall.net/demo/appointment/).
⇓ ⇓ ⇓ ⇓




2. First, register and verify your account
⇓ ⇓ ⇓ ⇓




3. Now login into your account using username and password
⇓ ⇓ ⇓ ⇓




4. Goto my account and click edit account
⇓ ⇓ ⇓ ⇓




5. Type HTML code in any input area and Click on Update
(etc: <h1>HTML Injection Testing</h1>)
⇓ ⇓ ⇓ ⇓




6. Now you can see the HTML injection on your account
⇓ ⇓ ⇓ ⇓

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: