SourceCodester Pharmacy Sales and Inventory System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The issue arises in the 'create_supplier' function within the file '/ShowForm/create_supplier/main'. The vulnerability allows remote attackers to inject malicious scripts by manipulating the 'company_name' parameter, which is then output to the web page without proper encoding or filtering. This flaw could be exploited to execute arbitrary scripts in the context of the user's browser, potentially leading to unauthorized actions or the theft of sensitive information such as cookies or session tokens.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. This could be used to steal cookies, session tokens, or other sensitive information, perform actions on behalf of the user, deface web pages, redirect users to malicious sites, or gain control over the user's browser.

Reproduction

To reproduce this vulnerability, send a request to the '/ShowForm/create_supplier/main' endpoint with a 'company_name' parameter that includes a script payload, such as a script tag containing JavaScript code. The injected script will be executed in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, implement proper output encoding for user inputs before displaying them on the web page. Validate and filter input data to reject or escape potentially malicious content, such as script tags or event handlers. Consider using a Content Security Policy (CSP) to restrict the execution of unauthorized scripts. For sensitive cookies, set the HttpOnly and Secure flags to protect against theft via JavaScript and ensure transmission over HTTPS. Regular security audits can help identify and fix XSS vulnerabilities.