Code-Projects Traffic Offense Reporting System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in version 1.0 of the Code-Projects Traffic Offense Reporting System. The issue resides in the '/save-reported.php' file, where user input from the 'offence_id', 'vehicle_no', 'driver_license', 'name', 'address', 'gender', 'officer_reporting', and 'offence' parameters is not properly validated or sanitized before being saved to the database. This lack of input validation allows attackers to inject malicious scripts that are executed in the context of the user's browser, potentially leading to session hijacking and cookie theft.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user, potentially leading to session hijacking and unauthorized access to sensitive information.

Reproduction

To reproduce this vulnerability, submit a form through the 'Report Offence' function on the 'Traffic Offense Reporting System' application. Include payloads in the 'offence_id', 'vehicle_no', 'driver_license', 'name', 'address', 'gender', 'officer_reporting', and 'offence' fields that consist of script tags containing JavaScript code, such as an alert. Once the form is submitted, the injected scripts will be executed when the 'OFFENSE LIST' module is accessed.