SourceCodester Online Banking System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Online Banking System version 1.0. The issue arises in the user profile update feature, specifically within the file '/?page=user'. The vulnerability is caused by improper sanitization of user input in the 'First Name' and 'Last Name' fields, allowing attackers to inject malicious JavaScript. This injected script is executed whenever the profile information is viewed, potentially leading to session hijacking, credential theft, and unauthorized account access, including administrative accounts.

Impact

Exploitation of this vulnerability allows for persistent execution of injected JavaScript, with the potential for session theft, account takeover, and administrative compromise if an admin views the affected profile.

Reproduction

To reproduce this vulnerability, log into a low-privilege account on the affected application. Navigate to the user profile update page and enter a malicious script into the 'First Name' or 'Last Name' fields. Save the changes, and the injected script will execute whenever the profile is viewed.