Newbee Mall Stored Cross-Site Scripting Vulnerability in Add Category Page

A stored cross-site scripting vulnerability has been identified in Newbee Mall version 1.0. The issue arises in the Add Category Page, specifically within the save function of the admin/categories/save file. The vulnerability is triggered by manipulating the categoryName argument, allowing for the injection of XSS payloads. This vulnerability can be exploited remotely and requires user interaction.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, navigate to the admin module and select 'Add Category'. Input a valid parameter to bypass initial XSS payload detection, then intercept the request with a tool like BURP. After intercepting the request, inject the XSS payload into the categoryName argument and send the request. Upon refreshing the page, the injected script will execute, demonstrating the stored XSS vulnerability.