CVE-2022-40470 - Cross-Site Scripting in Blood Donor Management System Using CodeIgniter v1.0
Date: 9 Sep 2022
Vendor Homepage: Phpgurukul
Software Link: Download Blood Donor Management System
Version: v1.0
Tested on: Windows 10, Kali Linux
CVE: CVE-2022-40470
Description: Phpgurukul Blood Donor Management System 1.0 is found to be vulnerable to Cross-Site Scripting (XSS) through the “Add Blood Group Name” feature. This vulnerability allows an attacker to inject arbitrary code into the application, leading to potential script execution in the context of the admin user.
Steps to Reproduce:
- Log in as an admin in the Blood Donor Management System.
- Navigate to the “Add Blood Group Name” feature.
- Inject arbitrary code into the “Blood Group Name” field.
- Click “Submit.”
- Go to “Manage Blood Group” to trigger the execution of the payload.
Proof of Concept: View Proof of Concept Video
Exploit Author’s Notes: The exploit scenario involves injecting malicious code during the addition of a blood group name. Upon successful execution, the payload is triggered when accessing the “Manage Blood Group” section, demonstrating the severity of the XSS vulnerability.
Mitigation: To mitigate this vulnerability, users are advised to sanitize input data and implement strict validation on user-generated content. Additionally, web application firewalls and security mechanisms should be in place to detect and prevent such malicious activities.
Discovered & Reported by: RashidKhan Pathan, 9 Sep 2022. Twitter: @itRashid