Code-Projects E-Commerce Website Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects E-Commerce Website version 1.0. The issue resides in the product_add.php file, specifically within the prod_name, prod_desc, and prod_cost parameters. This vulnerability allows for the injection of malicious scripts that are permanently stored and executed when other users access the affected page. The lack of proper input sanitization and output encoding creates a risk of session hijacking, account takeover, and theft of sensitive information.

Impact

Exploitation of this vulnerability allows for the injection of persistent malicious scripts that execute in the context of the user viewing the affected page. This can lead to session hijacking, account takeover, and unauthorized actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, navigate to the product addition page and locate the input fields for product name, description, and cost. Inject a script payload, such as a JavaScript alert, into these fields and submit the form. The injected script will execute when the page is viewed by other users.

Remediation

It is recommended to implement proper input validation and output encoding to prevent script injection. Additionally, a Content Security Policy can be applied to mitigate the impact of any potential XSS vulnerabilities.