Needyamin Library Card System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Needyamin Library Card System version 1.0. The issue resides in the signup.php file within the Registration Page component. This vulnerability allows for the injection of malicious scripts through the firstname, lastname, email, borrow, and user_address fields. The injected scripts are executed when the data is viewed, potentially leading to malware distribution, unauthorized account access, data breaches, and reputational damage.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, navigate to the signup.php page. Input cross-site scripting payloads into the First Name and Book Name fields. Once the form is submitted, the payloads will be stored and executed when the data is accessed through the admin dashboard or the card.php page.