SourceCodester Web-Based Pharmacy Product Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Web-Based Pharmacy Product Management System version 1.0. The issue resides in the Category Management module, specifically within the Category Name field, which fails to properly sanitize user input. This allows attackers to inject malicious JavaScript that is executed when other users access the category list.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts in the context of the user viewing the category list. This could lead to session hijacking, unauthorized actions on behalf of the user, and potentially full control over the application if an administrator's account is compromised.

Reproduction

To reproduce this vulnerability, log in as a user with permission to add categories. Navigate to the Category Management section and select 'Add Category'. In the Category Name field, inject a script payload, such as a JavaScript alert. After saving the category, the injected script will execute in the browser of any user who views the category list.

Remediation

Users are advised to apply input validation and sanitization patches. Category names should be restricted to alphanumeric characters. Additionally, implement output encoding measures, such as using 'htmlspecialchars()' in PHP before displaying user-generated content. Consider using Content Security Policy headers to mitigate script injection risks.