CodeAstro Ecommerce Website Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CodeAstro Ecommerce Website version 1.0. The issue resides in the 'Edit Your Account' page, specifically within the 'my_account.php' file. The vulnerability allows for the injection of malicious scripts into the 'Username' field, which are then executed in the context of other users' browsers when the username is displayed. This exploitation can be initiated remotely.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the affected user's browser, potentially leading to session hijacking, account takeover, and other malicious actions such as phishing or UI defacement.

Reproduction

To reproduce this vulnerability, log into an account and navigate to the 'Edit Account' section. Inject a script payload into the 'Customer Name' field and save the changes. After logging out and back in, the injected script will execute on the home page.