CodeAstro Real Estate Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in CodeAstro Real Estate Management System version 1.0. The issue resides in the file '/propertyview.php', where the 'msg' GET parameter is echoed directly to the page without proper sanitization. This flaw allows remote attackers to inject and execute arbitrary JavaScript in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed immediately in the context of the user.

Reproduction

To reproduce this vulnerability, send a GET request to '/admin/propertyview.php' with the 'msg' parameter containing the injected script, such as a JavaScript alert. The injected script will be executed in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, escape the output of the 'msg' parameter using 'htmlspecialchars' to prevent the execution of injected scripts.