Badminton Center Management System Userlist Module cross site scripting
Description
A vulnerability, which was classified as problematic, was found in Badminton Center Management System. This affects the userlist module at /bcms/admin/?page=user/list. The manipulation of the argument username with the input 1 leads to an authenticated cross site scripting. Exploit details have been disclosed to the public.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Badminton Center Management System userlist module via username parameter allows authenticated users to inject scripts.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the userlist module of Badminton Center Management System at /bcms/admin/?page=user/list. The username parameter is not properly sanitized, allowing an authenticated attacker to inject arbitrary HTML and JavaScript. The vulnerability is present in the version available from SourceCodester (no specific version number disclosed) [1].
Exploitation
An attacker must be authenticated with admin privileges (default credentials: admin/admin123). Steps: 1) Log in to the admin panel. 2) Navigate to the userlist page. 3) Click the edit button on an existing user. 4) In the username field, insert a payload such as 123. 5) Click "Edit Account" to save. The payload is stored and executed when any administrator views the userlist page [1].
Impact
Successful exploitation leads to persistent execution of arbitrary JavaScript in the browser of any administrator visiting the userlist page. This can result in session hijacking, cookie theft, page defacement, or further attacks within the application context [1].
Mitigation
No official patch has been released by the vendor. The application is no longer actively maintained (last update unknown). As a workaround, implement strict input validation and output encoding for all user-supplied data in the username field. Consider disabling the userlist functionality if not needed [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- unspecified/Badminton Center Management Systemv5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/ch0ing/vul/blob/main/WebRay.com.cn/Badminton%20Center%20Management%20System%28XSS%29.mdmitrex_refsource_MISC
- vuldb.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.