PHPGurukul Apartment Visitors Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Apartment Visitors Management System version 1.0. The issue arises in the file 'visitor-detail.php', where the 'visname' parameter, submitted via a POST request to 'visitors-form.php', is not properly sanitized or encoded before being displayed. This flaw allows attackers to inject malicious JavaScript that executes in the browsers of users, including administrators, who view the page.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser. This could lead to the theft of cookies or session tokens, execution of cross-site request forgery (CSRF) attacks, privilege escalation if an administrator views the injected content, and redirection of users to malicious sites.

Reproduction

To reproduce this vulnerability, send a POST request to 'avms/visitors-form.php' with the 'visname' parameter containing the injected script, such as a JavaScript alert. This input will be saved and later rendered on 'visitor-detail.php' without any escaping, allowing the injected script to execute.