Projectworlds Expense Management System Cross-Site Scripting Vulnerability in Currency Page

A critical persistent cross-site scripting (XSS) vulnerability exists in version 1.0 of the Projectworlds Expense Management System. The issue is located in the Currency Page, specifically within the file '/public/admin/currencies/create'. This vulnerability allows authenticated attackers to inject malicious scripts that are stored in the application's database and executed in the browsers of users who view the affected pages, including administrators.

Impact

Exploitation of this vulnerability allows attackers to hijack user sessions by stealing session cookies, which can be used to impersonate the victim and perform actions on their behalf. Additionally, injected scripts could be used for phishing attacks, keystroke logging, or website defacement.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Add Currency' page. Once there, fill out the form with valid data but include a JavaScript payload in one of the text fields, such as 'Title', 'Symbol', 'Money format for thousands', or 'Money format for decimal'. After submitting the form, the payload will be stored in the database. The XSS vulnerability can be triggered by accessing the page as any user, including an administrator, and clicking 'print', which will execute the injected script in the browser.

Remediation

To address this vulnerability, it is recommended to encode output from user-controlled data before rendering it in HTML. This can be done by using the 'htmlspecialchars()' function to convert special characters into HTML entities, preventing the browser from interpreting them as code.