- Exploit Title: CVE-2024-29717 - QR Code Attendance System - Cross-Site-Scripting
- Date: 2024-14-03
- Exploit Author: Burak Sevben
- Vendor Homepage: https://www.sourcecodester.com/php/17242/qr-code-attendance-system-using-php-and-mysql-source-code.html
- Software Link: https://www.sourcecodester.com/download-code?nid=17242&title=QR+Code+Attendance+System+Using+PHP+and+MySQL+with+Source+Code
- Version: 1.0
- Tested on: Kali Linux + PHP 8.2.12, Apache 2.4.58
- CVE: CVE-2024-29717
QR Code Attendance System is vulnerable to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied data. An attacker could exploit this issue to run arbitrary scripting code in an unsuspecting user's browser in the context of the affected site. This could allow an attacker to steal cookie-based authentication credentials and launch other attacks.
- Go to "http://localhost/qr-code-attendance-system/masterlist.php"
- Press the 'Add Student' button.
- In the 'Full Name' section, type this code:
"><img src=x onerror=alert(document.domain)>
- Then press the 'Generate QR Code' button.
- XSS will be triggered.