Blood Bank Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Blood Bank Management System version 1.0. The issue resides in the updateprofile.php and hprofile.php components, where user input is not properly sanitized or encoded before being displayed. This flaw allows attackers to inject malicious JavaScript into several parameters, including hname, hemail, hpassword, hphone, and hcity. The injected scripts are executed in the context of the victim's browser when the affected page is accessed.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'hprofile.php' page. Update the profile by injecting a script into one of the vulnerable parameters (hname, hemail, hpassword, hphone, or hcity). Once the profile is updated, the injected script will execute in the browser.