Headline
CVE-2021-40909: CVE-nu11secur1ty/vendors/oretnom23/CVE-nu11-10-09102021 at main · nu11secur1ty/CVE-nu11secur1ty
Cross site scripting (XSS) vulnerability in sourcecodester PHP CRUD without Refresh/Reload using Ajax and DataTables Tutorial v1 by oretnom23, allows remote attackers to execute arbitrary code via the first_name, last_name, and email parameters to /ajax_crud.
CVE-nu11-10-09102021
Vendor****Description:
The PHP CRUD (by: oretnom23 ) is vulnerable to XSS Stored Attack and remote SQL-Injection special characters. In the application: ajax_crud the parameters, first_name, last_name, and email are vulnerable to XSS Stored attack! When the user will sending a malicious javascript payload, he can store a special character - string, onto the MySQL server. The MySQL server can’t read it because there have no prepared statements or the appropriate replacement/formatting rules in order to prevent SQL injection and the system will be down. Status: CRITICAL
Documentation, HOW TO CHARACTER SET Statement:
href
Proof:
href