PHPGurukul Human Metapneumovirus Testing Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in PHPGurukul's Human Metapneumovirus Testing Management System version 1.0. The issue arises in the 'Registered Mobile Number Search' feature within the 'registered-user-testing.php' file. The vulnerability is triggered by manipulating the 'regmobilenumber' parameter, which is intended to accept numeric input. The front-end validation can be bypassed, allowing attackers to inject malicious scripts that are executed when the page is loaded. This vulnerability poses a significant risk as it could be exploited to steal session cookies, login credentials, or redirect users to malicious sites.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a request to 'registered-user-testing.php' with the 'regmobilenumber' parameter set to a script tag containing JavaScript, such as an alert. Include 'search=Search' to simulate a search and bypass front-end restrictions. When the page is accessed with these parameters, the injected script will execute, demonstrating the cross-site scripting vulnerability.