Code-Projects Client Details System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Client Details System version 1.0. The issue arises in the file '/admin/clientview.php', where user-supplied data is displayed without proper encoding. This allows an attacker to inject malicious scripts, such as JavaScript payloads, which are executed when the page is viewed. The vulnerability can be exploited remotely, but requires authentication and user interaction.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the administrator's browser when viewing the 'Client Details' page. This could lead to hijacking session cookies, performing actions on behalf of the admin, exfiltrating data, injecting fake user interface elements, and triggering cross-site request forgery attacks from the admin's context. Such actions could potentially be used to deface the site or facilitate lateral movement within a network.

Reproduction

To reproduce this vulnerability, first create a user account and log in. Then, navigate to the 'Client Details' page and enter a script payload, such as a JavaScript alert, into any of the fields that are displayed on the page. Once the payload is saved, it will execute automatically when the page is loaded, demonstrating the stored cross-site scripting vulnerability.