Configuroweb Sistema Web de Inventario Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Configuroweb Sistema Web de Inventario version 1.0. This issue arises from inadequate input sanitization on the product name parameter, allowing authenticated attackers to inject malicious payloads that execute arbitrary JavaScript. The vulnerability can be exploited by inserting a product with a harmful script in the name, which then runs automatically in the browsers of users who view the product list.

Impact

Exploiting this vulnerability allows injected scripts to execute in the context of the user viewing the product list, potentially leading to cookie theft, session hijacking, and unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the product list dashboard. Click the 'Agregar Producto' button to add a new product. In the 'Nombre de Producto' field, insert a malicious payload. Once the product is added, the injected script will execute every time the product list dashboard is accessed.

Remediation

To address this vulnerability, implement input sanitization and output encoding to validate and escape user-supplied data before displaying it in the browser. Additionally, enforce a strict Content Security Policy to limit the execution of unauthorized scripts, protect session cookies with HTTP-only and Secure flags, and leverage security features of web frameworks to minimize risks.