CVE-2021–43712 Stored XSS. How I got my first CVE

Hello, This is my first CVE Write-up, and also Personally the first CVE id I’ve received.

You can read it on the official website here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43712

Vulnerable Software was Employee Daily Task Management System.

Vulnerability Description: Stored XSS in Add New Employee Form in System Allows Remote Attacker to Inject/Store Arbitrary Code via the Name Field.

Payload used: <form><a href=”javascript:\u0061lert&#x28;1&#x29;”>X

Steps to reproduce:
1- Go to http://victim.com login as Admin or Manager
2- To add a new employee or task fill up some details and in the Name field enter the payload given above.
3- It will be stored in the database and whenever any user clicks on the name or try to navigate to the management field the XSS will be executed.

# Exploit Author: Varshil Patel (KnoxPro)
# Version: 1.0
# Tested on: Windows 10, 11