CVE-2020-28129

MEDIUM

Gym Management System 1.0 - Stored Cross-Site Scripting via Package Name and Description Fields

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28129. PoCs published by Jyotsna Adhana.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Gym Management System 1.0 by injecting a malicious script into the 'Package Name' and 'Description' fields. The payload executes when a user visits the Packages section, stealing cookies.

Description

Stored Cross-site scripting (XSS) vulnerability in SourceCodester Gym Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php?page=packages via vulnerable fields 'Package Name' and 'Description'.

Exploits (1)

exploitdb WORKING POC

by Jyotsna Adhana · textwebappsphp

https://www.exploit-db.com/exploits/48941

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Gym Management System 1.0 by injecting a malicious script into the 'Package Name' and 'Description' fields. The payload executes when a user visits the Packages section, stealing cookies.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Gym Management System 1.0

Auth required

Prerequisites: Access to the application's package management interface · Valid session cookie

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product x_refsource_misc

https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48941

Scores

CVSS v3 6.1

EPSS 0.0095

EPSS Percentile 56.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

admerc/gym_management_system 1.0

Published Nov 17, 2020

Tracked Since Feb 18, 2026