Sourcecodester Medicine Reminder App Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Sourcecodester Medicine Reminder App version 1.0. The issue arises in the 'Medicine Name' and 'Notes (Optional)' fields when creating an 'Upcoming Reminder'. This vulnerability allows attackers to inject arbitrary HTML or JavaScript, which executes in the victim's browser after clicking the 'Save Reminder' button.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user's browser. This could lead to session hijacking, where an attacker steals cookies or session tokens to impersonate the user. Additionally, it could facilitate in-page phishing attacks, credential harvesting, or the distribution of malware through the injected content.

Reproduction

To reproduce this vulnerability, enter a malicious HTML or JavaScript payload into the 'Medicine Name' or 'Notes (Optional)' fields while creating an 'Upcoming Reminder'. After saving the reminder, the injected script will execute in the browser.

Remediation

To address this vulnerability, implement input validation and sanitization to ensure that user-supplied data is properly encoded before being displayed. Additionally, consider applying a Content Security Policy (CSP) to restrict the sources of scripts and prevent the execution of inline scripts. Mark session cookies as HttpOnly to protect them from being accessed by client-side scripts.