Bdtask Wholesale Inventory Control and Inventory Management System Stored HTML Injection Vulnerability

A stored HTML injection vulnerability has been identified in the Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System, affecting versions prior to 20250320. The vulnerability resides in the user profile update functionality, specifically within the '/edit_profile' endpoint. It arises from an inadequate input validation mechanism that fails to properly sanitize HTML tags, allowing authenticated attackers to inject malicious HTML, such as deceptive hyperlinks, into the 'first_name' and 'last_name' fields. This injected content is stored in the database and rendered on pages displaying the user's name, creating a phishing risk for anyone who views the profile.

Impact

Exploitation of this vulnerability allows for stored HTML injection, where injected HTML is executed in the context of the user viewing the profile. This could be used to conduct phishing attacks by injecting links to malicious sites, or to disrupt the website's appearance by altering how information is presented.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Edit Profile' page. In the 'First Name' field, inject a hyperlink using standard HTML anchor tag syntax, directing it to a phishing site. After submitting the form, the injected link will be rendered on pages where the user's name is displayed, demonstrating the successful exploitation of the vulnerability.

Remediation

It is recommended to implement context-aware output encoding to ensure that all user-supplied data is treated as text and properly encoded before being rendered on the website. Additionally, input validation should be improved to allow only specific characters in name fields, rejecting any input that includes HTML tags.