Code-Projects E-Commerce Website Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects E-Commerce Website version 1.0. The issue resides in the file '/pages/supplier_add.php', where user-supplied input in the 'supp_name' and 'supp_address' fields is not properly sanitized before being stored. This allows for the injection of malicious scripts that are executed when other users view the affected page. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for the injection of persistent malicious JavaScript that executes in the context of users viewing the affected page. This could lead to session hijacking, account takeover, and theft of sensitive information.

Reproduction

To reproduce this vulnerability, navigate to the 'supplier_add.php' page and locate the input fields for 'supp_name' and 'supp_address'. Inject a script payload, such as an alert script, into these fields and submit the form. The injected script will execute when the page is viewed by other users.