Share
## https://sploitus.com/exploit?id=PACKETSTORM:161114
# Exploit Title: Daily Expense Tracker System Stored Cross-Site Scripting  
Vulnerability  
# Date: 2021-01-26  
# Exploit Author: Priyanka Samak  
# Vendor Homepage: https://phpgurukul.com/  
# Software Link:  
https://phpgurukul.com/daily-expense-tracker-using-php-and-mysql/  
# Software: : Daily Expense Tracker System # Version : 1.0  
# Vulnerability Type: Cross-site Scripting  
# Vulnerability: Stored XSS  
# Tested on Windows 10  
# This application is vulnerable to Stored XSS vulnerability.  
# Vulnerable script:  
1) http://localhost/dets/user-profile.php  
2)http://localhost/dets/add-expense.php  
# Vulnerable parameters: ‘Full Name' and 'Item’  
# Payload used: <script>alert(‘document.cookie’)</script>  
# POC: When you view the details under the Manage Expense tab and User  
Profile tab  
# You will see your Javascript code executes.  
  
  
Thanks and Regards, Priyanka Samak