Code Astro Internet Banking System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code Astro Internet Banking System version 2.0.0. The issue arises in the name parameter of the pages_add_acc_type.php file, where user input is not properly sanitized. This vulnerability allows attackers to inject malicious JavaScript that is executed when the page is accessed, potentially leading to session hijacking, credential theft, or account takeover.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page, including administrators.

Reproduction

To reproduce this vulnerability, navigate to the 'Add Acc Type' section of the application. Enter a script payload into the 'Account Category Name' field and submit the form. The injected script will execute when the 'Manage Acc Types' menu is accessed.

Remediation

Users are advised to implement HTML entity encoding for user input, validate and sanitize all input fields, and use Content Security Policy (CSP) to prevent the execution of inline scripts.