SourceCodester Student Grades Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Student Grades Management System version 1.0. The issue arises in the 'delete_user' function within 'admin.php', where user input is not properly sanitized before being output, allowing for the injection of malicious scripts. This vulnerability can be exploited remotely, but requires authentication and user interaction.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the 'Manage Users' or 'Manage Subjects' section. After accessing the edit user or subject interface, inject a script payload, such as an image tag with an 'onerror' event, into the username or subject name fields. Once the user or subject is updated, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to sanitize user input, implement strict validation, and escape special characters before rendering input in the browser. Additionally, a Content Security Policy can be applied to restrict the execution of inline scripts.