1000projects Online Project Report Submission and Evaluation System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the 1000projects Online Project Report Submission and Evaluation System version 1.0. The issue resides in the file '/admin/edit_title.php?id=1', where the 'desc' parameter can be manipulated to inject malicious script code. This vulnerability allows for the execution of arbitrary scripts in the context of the user's browser, potentially leading to the theft of cookies, session tokens, or other sensitive information. The vulnerability can be exploited remotely without any authentication requirements, although it does require some form of user interaction.

Impact

Exploitation of this vulnerability allows attackers to execute scripts in the context of the user's browser, which can be used to steal cookies, session tokens, or other sensitive information. This could also allow attackers to perform actions on behalf of the user, redirect them to malicious websites, or gain control of their browser.

Reproduction

To reproduce this vulnerability, send a request to '/rse/admin/edit_title.php?id=1' with the 'desc' parameter containing a script tag, such as '<script>alert("XSS")</script>'. This can be done using a tool that allows for the manipulation of HTTP request data, such as Burp Suite or Postman.

Remediation

It is recommended to implement proper output encoding for user inputs, especially in the 'desc' parameter, to prevent the execution of injected scripts. Additionally, regular security audits should be conducted to identify and address such vulnerabilities.