PHPGurukul COVID-19 Testing Management System Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the PHPGurukul COVID19 Testing Management System, specifically in the 2021 version. The issue arises in the 'search-report-result.php' file, where user-supplied input through the 'q' parameter is not properly sanitized before being reflected in the HTML response. This flaw allows attackers to inject arbitrary JavaScript that could be executed in the context of the user's browser, potentially leading to cookie theft or session hijacking.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's session.

Reproduction

To reproduce this vulnerability, send a request to the 'search-report-result.php' endpoint with a crafted 'q' parameter that includes an unescaped script, such as an image tag with an 'onerror' event. This will demonstrate the cross-site scripting vulnerability by executing the injected JavaScript, such as alerting the document's cookies.