SourceCodester Simple To-Do List System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Simple To-Do List System version 1.0. The issue arises in the file '/fetch_tasks.php' within the 'Add New Task' component. The vulnerability allows remote attackers to inject malicious JavaScript, which is then executed when users access the task list. This exploitation can lead to theft of session cookies, manipulation of page content, redirection to malicious sites, or unauthorized actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, open the 'Add New Task' modal and enter a script tag payload, such as a JavaScript alert, into the task description field. After saving the task, the injected script will execute when the task list is loaded, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to sanitize and escape user inputs on the server side before displaying them on the website. This can be done by using functions that convert special characters into HTML entities, preventing browsers from interpreting them as executable code.