Code-Projects E-Commerce Website Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects E-Commerce Website version 1.0. The issue resides in the supplier_update.php file, where user input for the supp_name and supp_address parameters is not properly sanitized before being stored. This lack of validation allows attackers to inject malicious scripts that are executed when other users view the affected page. The vulnerability can be exploited remotely, without authentication, but requires user interaction.

Impact

Exploitation of this vulnerability allows for the injection of persistent malicious JavaScript that executes in the context of the user’s browser. This can lead to session hijacking, account takeover, and theft of sensitive information.

Reproduction

To reproduce this vulnerability, navigate to the supplier_update.php page and locate the input fields for 'supp_name' and 'supp_address'. Inject a script payload, such as an alert script, into these fields and submit the form. The injected script will execute when the page is viewed, demonstrating the cross-site scripting vulnerability.

Remediation

No specific remediation is known for this vulnerability.