Projectworlds Visitor Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Projectworlds Visitor Management System version 1.0. The issue resides in the Add Visitor Page, specifically within the file '/myform.php'. The vulnerability is triggered by manipulating the 'Name' argument, allowing the injection of malicious JavaScript that is executed in the context of the user's browser. This vulnerability requires authentication to exploit but can affect any user with access to the page, including administrators.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's session. This could lead to session cookie theft, account hijacking, unauthorized actions performed on behalf of the user, and the injection of malicious content such as phishing attempts or malware.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the Add Visitor Page. Once there, submit a form with the 'Name' field containing a payload of JavaScript, such as a simple alert. The injected script will execute as soon as the page is loaded or the element is interacted with.

Remediation

It is recommended to implement proper output encoding to neutralize user-controlled input before it is rendered in HTML. Additionally, a Content Security Policy (CSP) should be applied to restrict the sources from which executable scripts can be loaded.