SourceCodester Online Eyewear Shop Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Eyewear Shop version 1.0. The issue arises in the file '/oews/classes/Master.php?f=save_product', where an unknown functionality can be manipulated to inject malicious scripts. This vulnerability can be exploited remotely, and the disclosed exploit allows for the extraction of sensitive information, such as the user's cookie.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts can be executed in the context of the user's browser. This could lead to the theft of cookies or other sensitive information.

Reproduction

To reproduce this vulnerability, send a POST request to '/oews/classes/Master.php?f=save_product' with the 'description' parameter containing an image tag (with an invalid image source) using an 'onerror' event. This will trigger a JavaScript alert with the value of the document cookie, demonstrating the XSS payload execution.