CVE-2024–8604: Stored XSS Vulnerability in Online Food Ordering System

Credites: AI

Hello Everyone,

This is a write-up for my newly discovered vulnerability related to CVE-2024–8604, which was reported for a Stored XSS vulnerability in an Online Food Ordering System.

You can check out more updates here: vuldb.com/?id.276831

NVD

CVE Website

The vulnerable software is Online Food Ordering System v2.

Vulnerability Description: Stored XSS Vulnerability in the Create New Account Form in the Online Food Ordering System v2 Allows a Remote Attacker to Inject or Store Arbitrary Code via the First Name and Last Name Fields.

Payload used: <script src=”data:&comma;alert(&quot;xss&quot;)//

Steps to reproduce:

1. Go to hxxp://TARGET[.]SITE, Click on Login then Click on Create New Account
2. In the ‘Create New Account’ form, insert the above-mentioned payload or any other valid filter bypass XSS payload in: 1) First Name, 2) Last Name
3. It will be stored in the database, and whenever any user clicks opens any page or refresh the code will be executed.

# Exploit/CVE Author: Varshil Desai

# Version: 2.0

# Tested on: Windows 10, 11