PHPGurukul Bus Pass Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Bus Pass Management System version 1.0. This issue affects the administrative profile page, specifically the file '/admin/admin-profile.php'. The vulnerability arises because the application fails to properly sanitize user input for the 'profile name' argument, allowing an attacker to inject malicious scripts. Once injected, these scripts are permanently stored in the database and executed whenever the profile page is accessed by any user, including other administrators.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the profile page. This could lead to session hijacking, website defacement, distribution of malware, privilege escalation, or unauthorized actions on behalf of the victimized administrator.

Reproduction

To reproduce this vulnerability, log into the PHPGurukul Bus Pass Management System as an administrator. Navigate to the profile page and edit the profile name field by injecting an XSS payload. Once the payload is saved, it will be executed every time the profile page is accessed.