PHPGurukul Directory Management System Cross-Site Scripting Vulnerability in add-directory.php

A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Directory Management System version 2.0. The issue resides in the file /admin/add-directory.php, where the fullname parameter is not properly sanitized, allowing attackers to inject malicious JavaScript. This injected script is executed in the context of the user's browser, potentially leading to session hijacking, unauthorized actions, and disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows for the injection and execution of arbitrary scripts in the context of the affected user's browser. This could result in session hijacking, theft of sensitive information, defacement of web pages, and unauthorized actions performed on behalf of legitimate users.

Reproduction

To reproduce this vulnerability, send a POST request to /dms/admin/add-directory.php with a fullname parameter containing injected JavaScript, such as a script tag including a JavaScript alert. This can be done using tools like Burp Suite or Postman.