PHPGurukul Curfew e-Pass Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Curfew e-Pass Management System version 1.0. The issue resides in the view-pass-detail.php file, where user-controlled data, specifically the Fullname and Category fields, are echoed into the HTML without proper sanitization. This flaw allows attackers with administrator privileges to inject malicious scripts that are executed in the browsers of administrators viewing the affected pages.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the administrator's browser.

Reproduction

To reproduce this vulnerability, inject a script payload into the Fullname or Category fields during the pass or category creation process. Once the payload is saved, navigate to the 'Manage Pass' page and click 'view' to see the injected script executed in the browser.