Code-Projects Client Details System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Client Details System version 1.0. The issue arises in the file '/update-clients.php', where user-supplied data is not properly encoded before being displayed. This allows attackers to inject malicious scripts that are executed when the data is viewed. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the administrator's browser when the 'Client Details' page is accessed. This could lead to session cookie theft, unauthorized actions performed as the admin, data exfiltration, injection of deceptive user interface elements, and triggering of cross-site request forgery attacks from the admin's perspective. Such exploitation could also facilitate further attacks, such as website defacement or lateral movement within a network.

Reproduction

To reproduce this vulnerability, create a user account and input a script payload, such as a JavaScript alert, into any of the fields displayed on the 'Client Details' page. After saving the payload, navigate to the 'update-clients.php' file, where the injected script will execute, demonstrating the successful exploitation of the stored cross-site scripting vulnerability.