Projectworlds Expense Management System Cross-Site Scripting Vulnerability in Expense Categories Page

A critical persistent cross-site scripting (XSS) vulnerability exists in Projectworlds Expense Management System version 1.0. The issue is located in the Expense Categories Page, specifically within the file '/public/admin/expense_categories/create'. This vulnerability allows authenticated attackers to inject malicious scripts that are stored in the application's database and executed in the browsers of users who view the affected pages, including administrators.

Impact

Exploitation of this vulnerability allows attackers to hijack user sessions by stealing session cookies, which can be used to impersonate the victim and perform actions on their behalf. Additionally, injected scripts could be used for phishing attacks, keystroke logging, or defacing the website.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Add Expense Categories' page. Once there, fill out the form with valid data, but insert a JavaScript payload into one of the text fields, such as 'Name'. After submitting the form, the payload will be stored in the database. The XSS vulnerability can be triggered by accessing the page as any user, including an administrator, and clicking 'print', which will execute the injected script in the browser.

Remediation

To address this vulnerability, it is recommended to encode output from user-controlled data before rendering it in HTML. This can be done by using the 'htmlspecialchars()' function to convert special characters into HTML entities, preventing the browser from interpreting them as code.