CodeKernel Queue Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CodeKernel's Queue Management System version 4.0.0. This vulnerability allows authenticated administrators to inject malicious scripts through user creation fields. The injected JavaScript payloads execute when the User List page is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the 'Users' menu. Click on 'Add User' and insert a script payload, such as a JavaScript SVG injection, into the 'First Name', 'Last Name', and 'Email' fields. After saving the user, open the 'User List' page to see the injected script executed, such as an alert box appearing.