PHPGurukul Apartment Visitors Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Apartment Visitors Management System version 1.0. The issue arises from inadequate input sanitization and the absence of output encoding on the 'visname' parameter, which is submitted via a POST request to '/avms/create-pass.php'. This user-generated input is saved and subsequently displayed on '/bwdates-passreports-details.php' without any escaping or filtering. As a result, attackers can inject malicious JavaScript that executes in the browser of any user, including administrators, who views the page.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could lead to the theft of cookies or session tokens, execution of cross-site request forgery (CSRF) attacks, privilege escalation if an administrator views the injected content, and exfiltration of sensitive information or redirection to malicious websites.

Reproduction

To reproduce this vulnerability, send a POST request to '/avms/create-pass.php' with the 'visname' parameter containing the injected script, such as a JavaScript alert. The injected script will be executed when the 'visname' is later displayed on the '/bwdates-passreports-details.php' page.

Remediation

It is recommended to implement proper output encoding, input validation, and to apply a Content Security Policy (CSP) to mitigate this vulnerability.