Code-Projects Voting System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Voting System version 1.0, specifically within the file '/admin/voters_add.php'. This issue arises from inadequate input validation and sanitization of user-provided data, particularly the 'Firstname', 'Lastname', and 'Platform' fields. As a result, malicious scripts can be injected, persisted on the server, and executed in the context of users who access the affected page. This vulnerability allows for session hijacking, account takeover, and theft of sensitive information.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript that is executed in the browser of users who access the affected page, leading to session hijacking, account takeover, and theft of sensitive information.

Reproduction

To reproduce this vulnerability, navigate to the '/admin/voters_add.php' page and submit a script payload in the 'Firstname' or 'Lastname' fields. After submission, the injected script will execute automatically when the page is accessed by other users.

Remediation

It is recommended to implement proper input validation and output encoding, particularly for user-generated content. Additionally, a Content Security Policy (CSP) should be established to mitigate the impact of potential XSS vulnerabilities.