PHPGurukul Apartment Visitors Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Apartment Visitors Management System version 1.0. The issue arises in the file pass-details.php, where the visname parameter, submitted via a POST request to create-pass.php, is not properly sanitized or encoded before being displayed. This flaw allows attackers to inject malicious JavaScript that executes in the browsers of users, including administrators, who view the page.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the affected user, potentially leading to cookie or session token theft, unauthorized actions on behalf of the user, especially if an admin is targeted, and redirection to malicious websites.

Reproduction

To reproduce this vulnerability, send a POST request to /avms/create-pass.php with the visname parameter containing the injected script, such as a JavaScript alert tag. This input will be saved and later displayed on the /pass-details.php page without any escaping, allowing the injected script to execute.

Remediation

It is recommended to implement proper output encoding, input validation, and to apply a Content Security Policy (CSP) to mitigate this vulnerability.