Phpgurukul Cyber Cafe Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Phpgurukul Cyber Cafe Management System version 1.0, specifically within the user management module. The vulnerability arises because the application fails to properly sanitize or encode user input submitted through the 'uadd' parameter in the 'add-users.php' endpoint. This allows authenticated attackers to inject arbitrary JavaScript code that is persistently stored in the database. The malicious payload is executed when a privileged user clicks the 'View' button on the 'view-allusers.php' page.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript code in the context of the user viewing the affected record, potentially leading to session hijacking, privilege escalation, or further compromise of the application.

Reproduction

To reproduce this vulnerability, an authenticated user with administrative privileges can inject JavaScript payloads into the 'uadd' parameter while creating a new user in the 'add-users.php' endpoint. Once the user is created, the injected script will be executed when the user record is accessed through the 'view-user-detail.php' endpoint.

Remediation

It is recommended to validate and sanitize all user input on the server side, apply proper output encoding when rendering dynamic content, implement a strict Content Security Policy, and use secure input handling mechanisms and frameworks.