PHPGurukul Zoo Management System Cross-Site Scripting Vulnerability in Visitor Name Parameter

A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Zoo Management System version 2.1. The issue resides in the file '/admin/add-foreigner-ticket.php', where the 'visitorname' parameter is not properly sanitized, allowing attackers to inject malicious JavaScript. This injected script is executed in the context of the user's browser, potentially leading to session hijacking, unauthorized actions, and disclosure of sensitive information. The vulnerability can be exploited remotely without authentication, but requires user interaction.

Impact

Exploitation of this vulnerability allows for the injection and execution of arbitrary scripts in the context of the affected user's browser. This could result in session hijacking, theft of sensitive information, unauthorized actions on behalf of the user, and defacement of web pages.

Reproduction

To reproduce this vulnerability, send a POST request to '/zms/admin/add-foreigners-ticket.php' with the 'visitorname' parameter containing a script tag, such as '<script>alert(1)</script>'. Include the necessary cookies to maintain the session.