A cross-site scripting (XSS) vulnerability has been identified in the PHP CRUD tutorial by oretnom23, specifically in the version that utilizes Ajax and DataTables. This vulnerability allows remote attackers to execute arbitrary code by injecting malicious scripts into the first_name, last_name, and email parameters of the /ajax_crud endpoint. The absence of proper input sanitization enables the execution of these scripts, potentially leading to stored XSS attacks.
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
To reproduce this vulnerability, upload the vulnerable PHP CRUD application that uses Ajax and DataTables. Once the application is running, navigate to the section where user input is collected. Enter a payload containing JavaScript into the first_name, last_name, and email fields. Submit the form, which will trigger the XSS payload execution. The injected script will be executed when the data is retrieved and displayed, demonstrating the stored XSS vulnerability.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
