SourceCodester Advanced School Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Advanced School Management System version 1.0. The issue resides in the '/index.php/notice/addNotice' file, where the 'noticeSubject' parameter is not properly sanitized before being displayed. This flaw allows attackers to inject malicious scripts that are executed in the browsers of users who view the affected page. Exploitation of this vulnerability requires user authentication.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the notice.

Reproduction

To reproduce this vulnerability, log into the application with a user account. Navigate to the 'Add Notice' page and enter a payload, such as an image tag with an 'onerror' event, into the 'noticeSubject' parameter. Submit the form, then go to the 'All Notices' page to see the injected script executed, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to implement input validation and sanitization for user-generated content, ensuring that any potentially harmful code is removed or escaped before it can be displayed. Additionally, output encoding should be applied when rendering user input on web pages, and a Content Security Policy could be established to limit the execution of scripts. Regular security testing should also be conducted to identify and address such vulnerabilities.