Exploit for 📄 Computer Laboratory Management System 1.0 Cross Site Scripting CVE-2024-33421

Name: Exploit for 📄 Computer Laboratory Management System 1.0 Cross Site Scripting CVE-2024-33421
Rating: 5 (4 reviews)
2026-06-08 | CVSS 4.9
## https://sploitus.com/exploit?id=PACKETSTORM:222887
# Stored Cross-Site Scripting (XSS) in Computer Laboratory Management System v1.0
    
    ## Summary
    
    A Stored Cross-Site Scripting (XSS) vulnerability exists in Computer Laboratory Management System v1.0. The application fails to properly sanitize user-supplied input in the **First Name** and **Last Name** fields of the user profile functionality. An authenticated attacker can inject malicious JavaScript code that is permanently stored by the application and executed whenever the affected profile information is rendered.
    
    Successful exploitation of this vulnerability may allow attackers to execute arbitrary JavaScript in the context of a victim's browser, potentially leading to session hijacking, account takeover, credential theft, and unauthorized actions.
    
    ## Vulnerability Details
    
    * Product Name: Computer Laboratory Management System
    * Version: 1.0
    * Vulnerability Type: Stored Cross-Site Scripting (Stored XSS)
    * CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    
    ## Affected Component
    
    * My Account Profile Management
    * First Name Parameter
    * Last Name Parameter
    
    ## Steps to Reproduce
    
    1. Log in to the application using valid administrative credentials.
    
    2. Navigate to the **My Account** page.
    
    3. Click on **Edit Profile** or update the account details.
    
    4. Insert the following payload into the **First Name** field:
    
       <script>alert(document.domain)</script>
    
    5. Insert the following payload into the **Last Name** field:
    
       <script>alert(document.cookie)</script>
    
    6. Save the profile changes.
    
    7. Refresh the page or revisit the profile section where the user information is displayed.
    
    8. Observe that the injected JavaScript payload executes in the browser.
    
    9. The payload remains stored within the application and is executed each time the affected profile data is rendered, confirming the presence of a Stored Cross-Site Scripting (Stored XSS) vulnerability.
    
    ## Impact
    
    An attacker can store arbitrary JavaScript code within the application. When the malicious content is viewed, the script executes in the victim's browser context, potentially resulting in:
    
    * Session Hijacking
    * Cookie Theft
    * Credential Theft
    * Account Takeover
    * Privilege Escalation
    * Unauthorized Actions Performed on Behalf of Victims
    * Phishing Attacks
    * Defacement of Application Content
    
    ## Remediation
    
    * Implement strict server-side input validation.
    * Apply context-aware output encoding before rendering user-supplied data.
    * Utilize a strong Content Security Policy (CSP).
    * Sanitize all user-controlled input fields.
    * Avoid rendering raw HTML or JavaScript supplied by users.
    
    ## References
    
    * CWE-79: Cross-Site Scripting (XSS)
    * OWASP Cross-Site Scripting Prevention Cheat Sheet
    
    ## Credits
    
    Discovered and Reported by: Subodh Sharma
    
    ## Vendor
    
    Computer Laboratory Management System v1.0