CVE-2024–8604: Stored XSS Vulnerability in Online Food Ordering System
1 min readSep 9, 2024
Hello Everyone,
This is a write-up for my newly discovered vulnerability related to CVE-2024–8604, which was reported for a Stored XSS vulnerability in an Online Food Ordering System.
You can check out more updates here: vuldb.com/?id.276831
The vulnerable software is Online Food Ordering System v2.
Vulnerability Description: Stored XSS Vulnerability in the Create New Account Form in the Online Food Ordering System v2 Allows a Remote Attacker to Inject or Store Arbitrary Code via the First Name and Last Name Fields.
Payload used: <script src=”data:,alert("xss")//
Steps to reproduce:
- Go to hxxp://TARGET[.]SITE, Click on Login then Click on Create New Account
- In the ‘Create New Account’ form, insert the above-mentioned payload or any other valid filter bypass XSS payload in: 1) First Name, 2) Last Name
- It will be stored in the database, and whenever any user clicks opens any page or refresh the code will be executed.
# Exploit/CVE Author: Varshil Desai
# Version: 2.0
# Tested on: Windows 10, 11
