Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS)

🗓️ 11 May 2022 00:00:00Reported by Andrea IntilangeloType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 307 Views

Stored XSS in PHProjekt PhpSimplyGest v1.3.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		PHProjekt PhpSimplyGest / MyProjects 1.3.0 Cross Site Scripting Vulnerability
6 May 202200:00
zdt
ATTACKERKB		CVE-2022-27308
9 May 202218:15
attackerkb
Circl		CVE-2022-27308
16 May 202219:03
circl
CNNVD		PHProjekt MyProjects 跨站脚本漏洞
5 May 202200:00
cnnvd
CNVD		PHProjekt MyProjects Cross-Site Scripting Vulnerability
9 May 202200:00
cnvd
CVE		CVE-2022-27308
9 May 202217:29
cve
Cvelist		CVE-2022-27308
9 May 202217:29
cvelist
EUVD		EUVD-2022-31814
3 Oct 202520:07
euvd
NVD		CVE-2022-27308
9 May 202218:15
nvd
Packet Storm		PHProjekt PhpSimplyGest / MyProjects 1.3.0 Cross Site Scripting
5 May 202200:00
packetstorm
Rows per page
# Exploit Title: PHProjekt PhpSimplyGest v1.3.0 - Stored Cross-Site Scripting (XSS)
# Date: 2022-05-05
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: http://www.phprojekt.altervista.org (removed demo was at http://phprojekt.altervista.org/phpsimplygest130)
# Software Link: https://github.com/robyfofo/MyProjects (original PhpSimplyGest https://github.com/robyfofo/PhpSimplyGest now merged/renamed into MyProjects)
# Version: 1.3
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.32)
# CVE: CVE-2022-27308

# Description:

A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 (and related products from same vendor,
like "MyProjects") allows attacker to execute arbitrary web scripts or HTML.

Injecting persistent javascript code inside the title description (or content) while creating a project, todo, timecard,
estimates, report or finding, it will be triggered once page gets loaded.

# Steps to reproduce:

Click on Projects and add or edit an existing one,

Insert the following PoC inside the Title

   <<SCRIPT>alert("XSS here");//\<</SCRIPT>

Click on 'Send'.

If a user visits the website dashboard, as well as project summary page, the javascript code will be rendered.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 May 2022 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 23.5
CVSS 3.15.4
EPSS0.01028
cross-site scriptingphprojektphpsimplygest
307