SourceCodester Pet Grooming Management Software Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Pet Grooming Management Software version 1.0. The issue arises in the Customer Name field within the Customer Management section, where user input is not properly sanitized, allowing for the injection and execution of malicious scripts.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to session hijacking, theft of authentication cookies, phishing attacks, data theft, and unauthorized modification of content displayed in the application.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Add New Customer' or 'Edit Customer' options. Once in the Customer Name field, enter a script payload, such as a script tag containing JavaScript code, or a body tag with event handlers. After submitting the form, the injected script will execute when the field is displayed in the application.

Remediation

To address this vulnerability, implement input validation to sanitize user input and escape special characters. Additionally, encode user input before rendering it in the browser. Consider applying a Content Security Policy (CSP) to restrict the execution of inline scripts.