PHPGurukul Apartment Visitors Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Apartment Visitors Management System version 1.0. The issue arises from inadequate input sanitization and the absence of output encoding on the 'visname' parameter, which is submitted via a POST request to '/avms/visitors-form.php'. This user-generated input is saved and subsequently displayed on '/manage-newvisitors.php' without any escaping or filtering. As a result, attackers can inject malicious JavaScript that executes in the browsers of users who view the page, including administrators.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser. This could lead to the theft of cookies or session tokens, privilege escalation if an administrator views the injected content, and execution of cross-site request forgery-like attacks.

Reproduction

To reproduce this vulnerability, send a POST request to '/avms/visitors-form.php' with the 'visname' parameter containing a script tag, such as '<script>alert(1)</script>'. This input will be stored and executed when the '/manage-newvisitors.php' page is loaded.

Remediation

It is recommended to implement proper output encoding, input validation, and to apply a Content Security Policy. Additionally, using a sanitizer to clean user input before processing it can help mitigate this vulnerability.