PHPGurukul User Registration and Login System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the PHPGurukul User Registration & Login and User Management System, version 3.3. The issue resides in the loginsystem/edit-profile.php file, where remote attackers can execute arbitrary JavaScript by injecting payloads through the fname, lname, and contact parameters in a POST request.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into the admin panel and navigate to the Manage Users section. Select a user to edit and intercept the request using Burp Suite. Inject a script payload into the fname, lname, and contact parameters, then send the modified request. The injected script will be executed on the page.