Code-Projects Voting System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Voting System version 1.0. The issue resides in the '/admin/candidates_edit.php' file, where user input for the Firstname, Lastname, and Platform fields is not properly sanitized before being saved and later displayed. This flaw allows attackers to inject malicious scripts that are executed in the context of users who view the affected page, potentially leading to session hijacking, account takeover, and theft of sensitive information.

Impact

Exploitation of this vulnerability allows for the injection of persistent malicious scripts that execute automatically in the browsers of users who access the compromised content. This can result in session hijacking, account takeover, and unauthorized actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, navigate to the '/admin/candidates_edit.php' page and enter a script tag payload into the Firstname or Lastname fields. After submitting the form, the injected script will execute when the page is viewed, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to implement proper input validation and output encoding to prevent cross-site scripting. User input should be sanitized before storage, and encoded when displayed. Additionally, a Content Security Policy can be applied to mitigate the impact of any potential XSS vulnerabilities.