PHPGurukul Rail Pass Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Rail Pass Management System version 1.0. The issue resides in the file '/admin/add-pass.php', where the 'fullname' parameter is not properly sanitized, allowing attackers to inject malicious JavaScript that executes in the context of the user’s browser. This vulnerability could be exploited to steal cookies, session information, and perform actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, send a POST request to '/rpms/admin/add-pass.php' with a 'fullname' parameter containing a script tag, such as '<script>alert(document.cookie)</script>'. Include additional form data as required by the application.

Remediation

It is recommended to implement proper input validation and output encoding, particularly for user-generated content. Additionally, consider applying a Content Security Policy to mitigate the effects of XSS vulnerabilities.