Code-Projects Simple Food Ordering System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Simple Food Ordering System version 1.0, specifically within the addproduct.php file. This issue arises from inadequate input sanitization of user-controlled data, which is permanently stored and later displayed without proper output encoding. As a result, attackers can inject malicious scripts that execute automatically in the context of users who view the affected pages. This vulnerability can lead to session hijacking, account takeover, and theft of sensitive information.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript that persists on the server. When other users access the affected page, the script executes in their browser, potentially leading to session hijacking, account takeover, and theft of sensitive information.

Reproduction

To reproduce this vulnerability, navigate to the addproduct.php page and submit a product name, category, and price, including a script tag in the price field. After submission, the injected script will execute when the product is viewed.

Remediation

No specific remediation is known for this vulnerability.