itsourcecode Online Petshop Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Online Petshop Management System version 1.0, developed by itsourcecode. The issue resides in the addcnp.php file, specifically within the Available Products Page component. The vulnerability allows for the injection of malicious JavaScript into the name and description parameters when adding a new product. This injected script is stored in the tblcnp database and later displayed unsanitized in availableframe.php. As a result, the malicious script executes whenever a user visits the Available Products page, which embeds availableframe.php inside an iframe.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the Available Products page.

Reproduction

To reproduce this vulnerability, access the addcnp.php page and submit a product with a script payload in the name or description fields. Once the product is added, the payload will be stored in the database. When the Available Products page is visited, the injected script will execute, demonstrating the cross-site scripting vulnerability.