PHPGurukul Restaurant Table Booking System Cross-Site Scripting Vulnerability in Manage Subadmins File

A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Restaurant Table Booking System version 1.0. The issue resides in the manage-subadmins.php file within the admin directory. The vulnerability is triggered by manipulating the fullname parameter, which allows the injection of malicious JavaScript that is executed in the context of the user’s browser. This flaw could potentially be exploited remotely, and while it requires user interaction, it has been publicly disclosed along with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user’s session, potentially leading to theft of cookies and session information, and unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the manage subadmins page. Once there, use the edit subadmin feature and inject a script payload into the fullname parameter. After submitting the form, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to implement context-aware output encoding, apply a Content Security Policy, sanitize and validate user input, secure session cookies, and utilize framework protections where applicable.