PHPGurukul Curfew e-Pass Management System Cross-Site Scripting Vulnerability in Category Editing Feature

A stored cross-site scripting vulnerability has been identified in PHPGurukul's Curfew e-Pass Management System version 1.0. The issue arises in the 'edit-category-detail.php' file, where the 'catname' parameter is processed without proper output encoding. This flaw allows attackers to inject malicious scripts that are executed in the browsers of administrators viewing the affected category. The vulnerability can be exploited remotely by authenticated users with administrative privileges.

Impact

Exploitation of this vulnerability allows for the injection of scripts that are executed in the context of the administrator's browser. This could lead to session hijacking, privilege escalation, or unauthorized data manipulation.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the 'Edit Category' page. Enter a JavaScript payload into the 'Category Name' input field and submit the form. The injected script will be executed when the category is edited again.

Remediation

It is recommended to implement proper input validation and output sanitization for the 'catname' parameter. Additionally, a Content Security Policy (CSP) could be employed to mitigate the impact of such vulnerabilities.