Alumni Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Original discovery of cross scripting vulnerability in this version is attributed to Valerio Alessandroni in December of 2020.
f94fec9bc74239534e3cc75c1185d76b# Exploit Title: Alumni Management System 1.0 - "Course Form" Stored XSS
# Exploit Author: Aakash Madaan
# Date: 2020-12-10
# Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code
# Affected Version: Version 1
# Tested on: Parrot OS
Step 1. Login to the application with admin credentials
Step 2. Click on the "Course List" page.
Step 3. In the "Course Form" field, use XSS payload
"<script>alert("course")</script>" as the name of new course and click on
save.
Step 4. This should trigger the XSS payload and anytime you click on the
"Course List" page, your stored XSS payload will be triggered.