Key Information Vulnerability Title PHPGurukul Bus Pass Management System None Stored Cross-Site Scripting (XSS) Description A stored cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Bus Pass Management System version 1.0. The vulnerability exists in the admin profile page, specifically at /admin/admin-profile.php. An attacker with administrative privileges can inject malicious scripts into input fields (such as name, contact details, or other editable profile fields). These scripts are permanently stored in the application's database and executed whenever any user accesses the /admin/admin-profile.php page. Reproduction Steps 1. Access the website. 2. Navigate to the profile page. 3. Edit the profile name and insert an XSS payload. 4. After triggering the payload, an alert will be triggered whenever any part of the site is clicked. Impact The stored XSS vulnerability may lead to the following risks: - Administrator account takeover: Attackers can inject scripts to steal session cookies of other administrators. - Website defacement: Alter the appearance or content of the admin profile page or other parts of the application. - Malware distribution: Redirect users to malicious websites or force downloads of malicious drivers. - Privilege escalation: Perform unauthorized actions under the identity of the compromised administrator. - Data leakage: Steal sensitive information displayed on affected pages. Source http://localhost/buspassmg/admin/admin-profile.php Submitter Anzil (UID:87131) Submission Date June 1, 2025, 01:46 PM Review Date June 19, 2025, 09:26 AM Status Accepted VulDB Entry PHPGurukul Bus Pass Management System 1.0 Profile Page (/admin/admin-profile.php profile name cross site scripting)