CVE-2021-46069

MEDIUM NUCLEI

Vehicle Service Management System 1.0 - XSS

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-46069. PoCs published by sanupl, plsanu. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical writeup for CVE-2021-46069, a stored XSS vulnerability in Vehicle Service Management System 1.0. It includes a step-by-step exploitation guide, payload, and mitigation advice.

Description

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Mechanic List Section in login panel.

Exploits (3)

nomisec WRITEUP 1 stars

by sanupl · poc

https://github.com/sanupl/CVE-2021-46069

View Code ZIP pw:eip

This repository provides a detailed technical writeup for CVE-2021-46069, a stored XSS vulnerability in Vehicle Service Management System 1.0. It includes a step-by-step exploitation guide, payload, and mitigation advice.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Vehicle Service Management System 1.0

Auth required

Prerequisites: admin access to the application

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 19, 2026 Full analysis →

nomisec WORKING POC

by sanupl · poc

https://github.com/sanupl/Vehicle-Service-Management-System-Mechanic-List-Stored-Cross-Site-Scripting-XSS

View Code ZIP pw:eip

This repository provides a functional proof-of-concept for a stored XSS vulnerability in Vehicle Service Management System 1.0, where malicious JavaScript can be injected via the Mechanic List section. The exploit involves injecting a payload into the Full Name & Contact input fields, which executes upon saving.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Vehicle Service Management System 1.0

Auth required

Prerequisites: Admin access to the Vehicle Service Management System

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 19, 2026 Full analysis →

nomisec WORKING POC

by plsanu · poc

https://github.com/plsanu/Vehicle-Service-Management-System-Mechanic-List-Stored-Cross-Site-Scripting-XSS

View Code ZIP pw:eip

This repository contains a proof-of-concept for a stored XSS vulnerability in Vehicle Service Management System 1.0, where malicious JavaScript can be injected via the Mechanic List section. The payload demonstrates cookie theft via an alert dialog.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Vehicle Service Management System 1.0

Auth required

Prerequisites: Admin access to the Vehicle Service Management System

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Vehicle Service Management System 1.0 - Stored Cross Site Scripting

MEDIUMVERIFIEDby TenBird

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.plsanu.com/vehicle-service-management-system-mechanic-list-stored-cross-site-scripting-xss

Exploit, Third Party Advisory x_refsource_misc

https://github.com/plsanu/Vehicle-Service-Management-System-Mechanic-List-Stored-Cross-Site-Scripting-XSS

Scores

CVSS v3 4.8

EPSS 0.0274

EPSS Percentile 84.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

vehicle_service_management_system_project/vehicle_service_management_system < 1.0

Published Jan 06, 2022

Tracked Since Feb 18, 2026