Code-Projects School Fees Payment System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects School Fees Payment System version 1.0. The issue resides in the '/branch.php' file, where user input from the 'Branch', 'Address', and 'Detail' parameters is not properly validated or sanitized before being displayed on the front end. This allows attackers to inject malicious scripts that are executed in the context of the user's browser, potentially leading to session hijacking and cookie theft.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user, potentially leading to session hijacking, cookie theft, and unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, navigate to the '/branch.php' file and submit the 'Branch', 'Address', and 'Detail' fields with a script payload, such as an alert script. After submitting, the injected script will execute, demonstrating the cross-site scripting vulnerability. This can also be done by editing an existing entry, which will trigger the payload execution.