itsourcecode Hostel Management System Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in itsourcecode Hostel Management System version 1.0. The issue arises in the POST request handler of the file '/justines/index.php', where the 'from' parameter can be manipulated to inject malicious scripts. This vulnerability allows remote execution of injected JavaScript in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, potentially leading to the theft of cookies or session tokens, execution of Cross-Site Request Forgery (CSRF) attacks, privilege escalation if an admin views the injected content, and redirection to malicious sites.

Reproduction

To reproduce this vulnerability, send a POST request to '/justines/index.php' with a 'from' parameter containing the injected script, such as a JavaScript alert. This can be done using tools like Burp Suite or Postman.

Remediation

It is recommended to implement server-side output encoding, input validation, and a Content Security Policy (CSP).