Bdtask Bhojon All-In-One Restaurant Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Bdtask Bhojon All-In-One Restaurant Management System versions prior to 20260116. The issue resides in the User Information Module, specifically within the profile management feature. The vulnerability allows for the injection of malicious scripts into the fullname field, which are then executed when the profile page is accessed. This flaw can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for stored execution of injected JavaScript, potentially leading to session theft, account takeover, privilege escalation, and compromise of admin accounts. Additionally, it opens avenues for phishing attacks and malware injection.

Reproduction

To reproduce this vulnerability, access the profile edit section of the application. Enter a script payload into the fullname field and save the changes. Upon reloading the profile page, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to sanitize user input, encode output, strip script tags, implement Content Security Policy (CSP), and use appropriate escaping functions.