Phpgurukul Vehicle Record Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Phpgurukul Vehicle Record Management System version 1.0. The issue resides in the '/admin/add-brand.php' component, where user input in the 'brandname' parameter is not properly sanitized before being stored in the database. This unsanitized data is later retrieved and displayed in the '/admin/add-vehicle.php' page, executing injected scripts. This vulnerability is classified as second-order stored XSS, as the injection and execution points are separate, complicating detection.

Impact

Exploitation of this vulnerability allows for second-order stored cross-site scripting, where injected scripts are executed on a different page than where they were introduced. This could lead to session hijacking, with silent exfiltration of admin session cookies, and potential privilege escalation, allowing lower-privileged users to compromise higher-privileged admin sessions.

Reproduction

To reproduce this vulnerability, log into the admin panel and navigate to the 'Add Brand' page. Enter a script payload into the 'Brand Name' field and submit the form. Then, go to the 'Add Vehicle' page, where the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, apply output encoding when rendering stored values in HTML contexts, using functions like htmlspecialchars to prevent script execution. Additionally, implement server-side validation to restrict brand name inputs to alphanumeric characters and limited punctuation.