PHPGurukul Online Banquet Booking System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Online Banquet Booking System version 1.0. The issue resides in the admin-profile.php file, specifically within the adminname parameter. This vulnerability allows for the injection of malicious JavaScript, which is executed when an admin views their profile. The vulnerability can be exploited remotely, requiring some user interaction.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser. This could lead to the theft of cookies or session tokens, execution of cross-site request forgery (CSRF) attacks, privilege escalation if an admin views the injected content, and redirection to malicious sites.

Reproduction

To reproduce this vulnerability, send a POST request to the admin/admin-profile.php page with a crafted adminname parameter that includes JavaScript payloads, such as a script tag. The injected script will execute when the admin profile is viewed.

Remediation

It is recommended to sanitize and encode user inputs before rendering them in the output. Applying a Content Security Policy (CSP) and using a sanitizer can also help mitigate this vulnerability.