Exploit for Alumni Management System 1.0 Cross Site Scripting CVE-2020-28071

Name: Exploit for Alumni Management System 1.0 Cross Site Scripting CVE-2020-28071
Rating: 5 (141 reviews)

2020-12-17 | CVSS -0.1

## https://sploitus.com/exploit?id=PACKETSTORM:160591
# Exploit Title: Stored XSS on Alumni Management System   
# Date: 23/10/2020  
# Exploit Author: Valerio Alessandroni  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-s ource-code.html  
# Version: 1.0  
# Tested on: ubuntu 18.04  
# CVE : CVE-2020-28071  
# Description:  
An attacker after the admin authentication, can upload an image in the gallery, using a XSS payload in the description textarea called "about" and reach a stored XSS.  
# Reproduction:  
- Login as "admin"  
- upload an image in the gallery area in the administration panel injecting Javascript code in the textarea called "about"  
- The obtained XSS affects the administration panel (ex: http://127.0.0.1/admin/index.php?page=gallery) and  
the public gallery (ex: http://127.0.0.1/index.php?page=gallery)