Sourcecodester Web-Based Pharmacy Product Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Sourcecodester Web-Based Pharmacy Product Management System version 1.0. The issue resides in the Supplier Name field of the Supplier module, specifically within the 'add-supplier.php' file. This vulnerability allows attackers to inject malicious scripts that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's session. This could lead to session hijacking, credential theft, data exposure, or unauthorized actions performed as the victim.

Reproduction

To reproduce this vulnerability, navigate to the Supplier Name field in the 'add-supplier.php' file of the Pharmacy Product Management System. Inject a script payload, such as an SVG image with an 'onload' event, into the Supplier Name field. When the injected URL is opened, the script payload will execute, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, implement contextual encoding, validate and sanitize input, use secure cookie attributes, and avoid unsafe sinks that could allow script execution.