code-projects Client Details System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in code-projects Client Details System version 1.0. The issue arises in the file welcome.php, where user-supplied data is not properly encoded before being displayed. This allows an attacker to inject malicious scripts, such as JavaScript, which are executed when the page is viewed. The vulnerability can be exploited remotely, but requires authentication and user interaction.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the administrator's browser when viewing the 'Client Details' page. This could lead to session cookie theft, unauthorized actions performed as the admin, data exfiltration, injection of fake user interface elements, and triggering cross-site request forgery attacks from the admin's context. Additionally, it could facilitate further attacks, such as website defacement or lateral movement within a network.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Client Details' listing page. Inject a script payload, such as a JavaScript alert, into any of the displayed fields, including First Name, U-Name, Email, or an uploaded filename. Once the payload is saved, it will execute automatically when the page is loaded, demonstrating the successful exploitation of the stored cross-site scripting vulnerability.