SourceCodester E-Learning System Cross-Site Scripting Vulnerability in Lesson Module Handler

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester E-Learning System version 1.0. The issue arises in the Lesson Module Handler, specifically within the file '/admin/modules/lesson/index.php'. The vulnerability allows remote attackers to inject basic HTML into the Title and Description fields of the lesson module. This injected HTML is then executed in the browser, potentially leading to web defacement, content spoofing, and phishing attacks.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected HTML is executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into the application as an administrator or instructor. Navigate to the Lesson Module and either add a new lesson or edit an existing one. Inject a HTML payload, such as a marquee tag, into the Title or Description field. Save the lesson and then view it to see the injected HTML executed in the browser.