Projectworlds Advanced Library Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Projectworlds Advanced Library Management System version 1.0. The issue resides in the edit_admin.php file, specifically within the firstname POST parameter. This vulnerability allows authenticated attackers to inject malicious JavaScript that is executed when the affected page is viewed. The root cause of this vulnerability is inadequate input validation and the absence of proper output encoding, which enables the persistence and execution of script tags in users' browsers.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of users viewing the affected page. This could lead to session hijacking, cross-site request forgery (CSRF) attacks, account takeover, or the distribution of malicious content to other users. The severity of the impact may vary depending on the number and privileges of users who view the stored value and the context in which it is rendered.

Reproduction

To reproduce this vulnerability, log into the application as an admin or a user with permission to edit admin profiles. Navigate to the admin edit page and submit the firstname field with a script payload, such as <script>alert(/XSS/)</script>. After saving the changes, visit any page that displays the admin's name to observe the execution of the injected script.

Remediation

Sanitize existing stored values in the database to remove any malicious scripts. Implement context-aware output encoding by escaping values before rendering them in HTML. Enforce strict input validation for name fields to reject any input containing markup, unless explicitly required. Consider using a templating framework that automatically escapes output, and apply a Content Security Policy to mitigate the impact of any injected scripts.