phpgurukul Hostel Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in phpGurukul's Hostel Management System version 2.1. This issue arises in the complaint registration feature, where user input in the 'Explain the Complaint' field is not properly sanitized before being saved. The unescaped data is later displayed in the admin complaint details view, allowing any injected HTML or JavaScript to execute in the administrator's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the admin user when viewing complaint details.

Reproduction

To reproduce this vulnerability, log in as a user and navigate to the complaint registration page. Enter a complaint in the 'Explain the Complaint' field, including a script payload. Submit the complaint, then log in as an admin and go to the complaint details page for the complaint just submitted. The injected script will execute in the admin's browser.

Remediation

To address this vulnerability, implement input validation and output encoding. User input should be sanitized before being stored in the database, and complaints should be escaped when displayed in the admin viewer.