Code-Projects Simple Food Ordering System Cross-Site Scripting Vulnerability in editcategory.php

A stored cross-site scripting vulnerability has been identified in version 1.0 of the Code-Projects Simple Food Ordering System. The issue resides in the editcategory.php file, where user input in the pname argument is not properly sanitized before being saved and later displayed. This flaw allows for the injection of malicious scripts that are executed in the context of users who view the affected page, potentially leading to session hijacking, account takeover, and theft of sensitive information.

Impact

Exploitation of this vulnerability allows for the injection of persistent malicious JavaScript that executes automatically in the browsers of users who access the affected page. This can result in session hijacking, account takeover, and theft of sensitive information.

Reproduction

To reproduce this vulnerability, navigate to the editcategory.php page and submit a script payload in the pname argument. After submission, the injected script will execute in the context of the user’s browser.

Remediation

No specific remediation is known for this vulnerability.