PHPGurukul Taxi Stand Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Taxi Stand Management System version 1.0. The issue resides in the file '/admin/new-autoortaxi-entry-form.php', specifically within the 'registrationnumber' and 'licensenumber' fields. This vulnerability allows remote injection of malicious JavaScript, which executes when an admin views their profile.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to cookie or session token theft, execution of cross-site request forgery-like attacks, privilege escalation if an admin is targeted, and redirection to malicious sites.

Reproduction

To reproduce this vulnerability, send a POST request to '/admin/new-autoortaxi-entry-form.php' with a crafted 'registrationnumber' or 'licensenumber' parameter that includes malicious JavaScript. Once submitted, the injected script will execute when the admin views their profile.

Remediation

It is recommended to sanitize and encode user inputs before rendering them in the output. Implementing a Content Security Policy (CSP) and using a sanitizer can also help mitigate this vulnerability.