PHPGurukul Apartment Visitors Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Apartment Visitors Management System version 1.0. The issue arises in the file '/create-pass.php', specifically within the HTTP POST request handler. The vulnerability is triggered by manipulating the 'visname' parameter, which is not properly sanitized before being saved and later displayed on '/manage-passes.php'. This lack of output encoding allows for the injection of malicious scripts that can execute in the browsers of users, including administrators.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the affected user, potentially leading to cookie or session token theft, unauthorized actions on behalf of the user, especially if an admin is targeted, and redirection to malicious websites.

Reproduction

To reproduce this vulnerability, send a POST request to '/avms/create-pass.php' with the 'visname' parameter containing a script tag, such as '<script>alert(1)</script>'. Include the necessary form data, such as category, mobilenumber, address, apartment, floor, inputdate, todate, and passdescription. Once the data is submitted, the injected script will execute when the 'manage-passes.php' page is loaded.

Remediation

It is recommended to implement proper output encoding for user-supplied input, validate input data, apply a Content Security Policy, and use a sanitizer to remove harmful elements before rendering.