itsourcecode E-Logbook with Health Monitoring System for COVID-19 Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in itsourcecode E-Logbook with Health Monitoring System for COVID-19 version 1.0. The issue arises in the file '/stc-log-keeper/print_reports_prev.php', where user-supplied input from the 'profile_id' parameter is not properly sanitized before being output as HTML. This lack of filtering allows attackers to inject malicious JavaScript that can be executed in the context of the user's browser. The vulnerability can be exploited remotely, without any authentication, but requires user interaction.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, potentially leading to the theft of cookies or session tokens, execution of cross-site request forgery (CSRF) attacks, privilege escalation if an admin views the injected content, and redirection to malicious sites.

Reproduction

To reproduce this vulnerability, send a POST request to '/stc-log-keeper/print_reports_prev.php' with the 'selectedMM', 'selectedDD', and 'selectedYYYY' parameters. Include a script tag in the 'selectedMM' parameter to inject JavaScript, which will be executed in the browser.

Remediation

It is recommended to implement server-side output encoding, input validation, and a Content Security Policy (CSP).