SourceCodester Student Grades Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Student Grades Management System version 1.0. The issue arises in the 'Add New User' feature within the admin panel, specifically in the 'Manage Users' page. The vulnerability is caused by improper input validation of the 'first_name' and 'last_name' fields, which allow the injection of malicious JavaScript. This injected script is executed in the browser of any administrator who views the user list or dashboard, potentially leading to session hijacking or unauthorized administrative actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page. In this case, an administrator could execute malicious JavaScript in the browser of another administrator, potentially leading to session theft or unauthorized actions on behalf of the victim.

Reproduction

To reproduce this vulnerability, log into the application as an administrator and navigate to the 'Manage Users' tab. In the 'Add New User' form, enter a JavaScript payload, such as an image tag with an 'onerror' event, into the 'First Name' and 'Last Name' fields. After submitting the form, the injected script will execute when the 'Recent Users' list is viewed on the dashboard.