CVE-2022-29359
MEDIUMSchool Club Application System 0.1 - Stored Cross-Site Scripting via Firstname Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2022-29359. PoCs published by ZSECURE.
AI-analyzed exploit summary This PoC demonstrates an unauthenticated stored XSS vulnerability in School Club Application System, leading to session cookie theft and subsequent HTML injection for RCE. The exploit chain involves injecting malicious JavaScript via the application form and leveraging stolen admin cookies to inject PHP code.
Description
A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.
Exploits (1)
This PoC demonstrates an unauthenticated stored XSS vulnerability in School Club Application System, leading to session cookie theft and subsequent HTML injection for RCE. The exploit chain involves injecting malicious JavaScript via the application form and leveraging stolen admin cookies to inject PHP code.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N