Code-Projects Traffic Offense Reporting System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in version 1.0 of the Code-Projects Traffic Offense Reporting System. The issue arises in the saveuser.php file, where user input from the parameters user_id, username, email, name, and position is not properly validated or sanitized before being saved to the database. This lack of input validation allows attackers to inject malicious scripts that are executed in the context of the user's browser, potentially leading to session hijacking and cookie theft.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user, potentially leading to session hijacking, cookie theft, and unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, submit a form on the 'add-user.php' page with the 'create user' function. Include script tags in the user_id, username, email, name, and position fields. The injected scripts will be executed when the 'USER LIST' module is accessed.