PuneethReddyHC Event Management System Reflected Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting vulnerability has been identified in the PuneethReddyHC Event Management System version 1.0. The issue resides in the register.php backend script, where the mobile POST parameter is inadequately validated and is echoed back in the HTTP response without proper sanitization. This flaw allows attackers to inject and execute arbitrary JavaScript code in the browsers of victims.

Impact

Exploitation of this vulnerability allows for reflected Cross-Site Scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, clone the PuneethReddyHC Event Management System repository and run it locally. Then, send a POST request to the backend/register.php endpoint with a malicious payload in the mobile parameter. The injected payload will be reflected in the response without any sanitization.

Remediation

Users are advised to sanitize or encode user input before outputting it. For example, in PHP, use htmlspecialchars to encode the mobile parameter before echoing it.