itsourcecode Online Petshop Management System Stored Cross-Site Scripting Vulnerability in Admin Dashboard

A stored cross-site scripting vulnerability has been identified in the itsourcecode Online Petshop Management System version 1.0. The issue arises in the Admin Dashboard component, specifically within the availableframe.php file. The vulnerability is triggered by manipulating the name and address fields in the order submission form. Malicious scripts injected into these fields are saved in the database and later executed when the admin views the orders, allowing attackers to run arbitrary JavaScript in the admin's browser. This could lead to cookie theft, unauthorized actions on behalf of the admin, or alterations to the dashboard content.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts execute automatically in the context of the admin user without any additional interaction required.

Reproduction

To reproduce this vulnerability, submit an order through the availableframe.php order form, injecting a script payload into the name and address fields. Once the order is submitted, log into the admin dashboard and view the new order. The injected script will execute immediately in the admin's browser, demonstrating the stored XSS vulnerability.