Customer Support System 1.0 - Cross-Site Scripting (XSS) Vulnerability in "contact" field/parameter on "customer_list" Page# CVE-2023-49974
# Customer Support System 1.0 - Cross-Site Scripting (XSS) Vulnerability in "contact" field/parameter on "customer_list" Page
**Description**: Customer Support System 1.0 is vulnerable to stored XSS. A XSS vulnerability exists in version 1 of the Customer Support System. A malicious actor can insert JavaScript code through the "contact" field/parameter when editing/creating a customer. The code is executed whenever the page "/customer_support/index.php?page=customer_list" is visited.
**Vulnerable Product Version**: Customer Support System 1.0
**CVE Author**: Geraldo Alcântara
**Date**: 28/11/2023
**Confirmed on**: 19/12/2023
**CVE**: CVE-2023-49974
**Tested on**: Windows
### Steps to reproduce:
1. Log in to the application.
2. Navigate to "/customer_support/index.php?page=customer_list" to edit an existing customer or "/customer_support/index.php?page=new_customer" to create a new customer.
3. Create or edit a customer and insert the malicious payload into the "contact" field/parameter.
4. Payload:
```
</dt></b><script>alert(document.domain)</script>
```
Discoverer(s)/Credits:
Geraldo Alcântara
[4.0K] /data/pocs/811db81f0eae1e2e731e7a079fcbd539a0a8539e
└── [1.1K] README.md
0 directories, 1 file