Gilnei Moraes phpABook Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Gilnei Moraes phpABook version 0.9. The issue allows remote attackers to execute arbitrary code by injecting malicious scripts into the 'rol' parameter of 'index.php'. This vulnerability stems from inadequate validation and sanitization of user input, enabling the execution of scripts in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser. This could lead to the disclosure of sensitive information, such as session cookies, or unauthorized actions within the application.

Reproduction

To reproduce this vulnerability, access the 'index.php' page of the phpABook application. Append an XSS payload to the URL, such as a script tag including JavaScript code, which could be an alert command. Alternatively, the 'rol' parameter can be exploited by injecting the same type of payload through the 'Show All' tab.