Phpgurukul Vehicle Record Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Phpgurukul Vehicle Record Management System version 1.0. This vulnerability resides in the admin search vehicle component, specifically within the searchinputdata parameter of the search-vehicle.php file. The issue allows attackers to inject arbitrary web scripts or HTML, which is then executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page. This could lead to session hijacking, credential theft, phishing attacks, defacement of the application, or unauthorized disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, log into the admin panel of the Vehicle Record Management System. Navigate to the search-vehicle.php page and enter a script payload into the searchinputdata parameter. Once submitted, the injected script will execute in the browser.

Remediation

To address this vulnerability, output encoding should be applied before rendering user-controlled data in HTML contexts. Additionally, a Content Security Policy header can be implemented to restrict inline script execution.