Code-Projects Client Details System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Client Details System version 1.0. The issue arises in the '/admin/manage-users.php' file, where user-supplied data is displayed without proper encoding. This flaw allows an attacker to inject malicious scripts, such as JavaScript alerts, which are executed when the page is viewed. The vulnerability can be exploited remotely, but requires authentication and user interaction.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the administrator's browser. This could lead to hijacking session cookies, performing actions on behalf of the admin, exfiltrating data, injecting fake user interfaces, triggering cross-site request forgery (CSRF) attacks from the admin's context, and potentially chaining further attacks, such as defacement or lateral movement.

Reproduction

To reproduce this vulnerability, first create a user account through the 'admin/register.php' page. During the registration process, input a payload, such as a script tag containing JavaScript code, into any of the fields that will be displayed on the 'Manage Users' page. Once the user is registered, navigate to the 'admin/manage-users.php' page. The injected script will execute automatically, demonstrating the cross-site scripting vulnerability.