Code-Projects Simple Food Ordering System Cross-Site Scripting Vulnerability in editproduct.php

A stored cross-site scripting vulnerability has been identified in version 1.0 of the Code-Projects Simple Food Ordering System. The issue resides in the editproduct.php file, where user input in the pname, category, and price fields is not properly sanitized before being saved and later displayed. This flaw allows attackers to inject malicious scripts that are executed automatically in the browsers of users who access the affected page, potentially leading to session hijacking, account takeover, and theft of sensitive information.

Impact

Exploitation of this vulnerability allows for the injection of persistent malicious JavaScript that executes in the context of the user’s browser, potentially leading to session hijacking, account takeover, and theft of sensitive information.

Reproduction

To reproduce this vulnerability, navigate to the editproduct.php page and submit a script payload in the pname, category, or price fields. After submission, the injected script will execute when the page is viewed, demonstrating the cross-site scripting vulnerability.

Remediation

No specific remediation is known for this vulnerability, but it is recommended to implement proper input validation and output encoding to prevent cross-site scripting.