Phpgurukul Vehicle Record Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Phpgurukul Vehicle Record Management System version 1.0. This vulnerability exists in the admin edit vehicle component, specifically within the vehiclename, modelnumber, regnumber, vehiclesubtype, chasisnum, and enginenumber parameters. The application fails to sanitize user input before storing it in the database. As a result, injected scripts are executed when the vehicle record is edited, allowing for the execution of arbitrary web scripts or HTML in the victim's browser.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts in the context of the user editing the vehicle record. This could lead to session hijacking, privilege escalation, data exfiltration, phishing or redirection attacks, and denial-of-service conditions by disrupting the application's user interface for administrators.

Reproduction

To reproduce this vulnerability, log into the admin panel of the Vehicle Record Management System. Navigate to the 'Manage Vehicles' section and open an existing vehicle for editing, or directly access the edit vehicle page for a specific record. Once on the edit vehicle page, inject a script payload into each of the vulnerable fields: Vehicle Name, Model Number, Registration Number, Vehicle Subtype, Chasis Number, and Engine Number. After submitting the form, reload the edit vehicle page for the same record to observe the execution of the injected scripts.

Remediation

To address this vulnerability, implement input sanitization before storing data in the database and apply output encoding when rendering data sourced from the database. Additionally, consider applying a Content Security Policy header and implementing format-specific validation for each affected field.