SourceCodester Packers and Movers Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Packers and Movers Management System version 1.0. The issue resides in the Users.php component, where an attacker can inject a malicious script into the username or name field during the creation of a user. This injected script is then executed when an admin views the user list, potentially leading to session hijacking, phishing, and other malicious activities.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts in the context of an admin's browser, with the potential for session hijacking and other malicious actions.

Reproduction

To reproduce this vulnerability, create a new user in the Packers and Movers Management System 1.0. Inject a script payload into the name field. Once the user is created, the injected script will execute when an admin views the user list.

Remediation

It is recommended to implement CSRF protection, input validation and sanitization, a Content Security Policy, and to escape user-generated content before rendering it in the browser.