PHPGurukul Human Metapneumovirus Testing Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in version 1.0 of the PHPGurukul Human Metapneumovirus Testing Management System. The issue resides in the Admin Profile Page, specifically within the profile.php file. The vulnerability allows remote attackers to execute arbitrary web scripts by injecting a crafted payload into the 'email' field. This exploitation occurs without proper input sanitization, enabling the injected script to run in the context of the user's session.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the profile.php endpoint. Once there, click 'Update' and intercept the request using a tool like Burp Suite. Modify the 'email' parameter by injecting a script payload, such as a script tag containing JavaScript code, such as an alert. After forwarding the request, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to implement strict input validation and sanitization for user-generated content, particularly in the 'email' field. Additionally, encoding user input before rendering it in the browser can help neutralize malicious scripts.