SourceCodester FAQ Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester FAQ Management System version 1.0. This vulnerability allows authenticated attackers to inject malicious JavaScript into the 'question' and 'answer' fields via the update-faq.php endpoint. The application fails to properly sanitize user input when updating FAQ content, enabling the injection of untrusted scripts that are executed when the FAQ page is viewed by other users.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user viewing the FAQ. This could lead to stealing session cookies or tokens, running arbitrary JavaScript, phishing attacks, modifying the DOM to display false information, or redirecting users to malicious websites.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the update-faq.php endpoint with injected JavaScript in the question and answer fields. The injected script will be executed when the FAQ entry is viewed.