Cyber Cafe Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Cyber Cafe Management System version 1.0. This vulnerability allows authenticated attackers to inject arbitrary JavaScript into the username parameter via the add-users.php endpoint. The injected script is stored in the database and executed in the browser of users who access the affected page.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to information disclosure, session hijacking, and unauthorized actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, an authenticated user with administrative privileges can inject a JavaScript payload into the username field while creating a new user through the add-users.php endpoint. Once the user is created, the injected script will be executed when the user list is viewed on the view-allusers.php page.

Remediation

Users are advised to validate and sanitize all user input on the server side, apply proper output encoding when displaying dynamic content, implement a strict Content Security Policy, and use secure input handling mechanisms and frameworks.