SourceCodester Online Food Ordering System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Online Food Ordering System version 1.0. This issue resides in the Category management module within the admin panel. The vulnerability arises because the application does not adequately sanitize user input in the 'Category Name' field when categories are created or updated. As a result, any injected JavaScript executes automatically in the browser of an administrator or user who visits the Category list page or any page where the category is displayed.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts in the context of the user viewing the affected page. This could lead to session hijacking by stealing administrator cookies, allowing an attacker to take over the application. Additionally, it could be used for persistent defacement of the application's visual appearance.

Reproduction

To reproduce this vulnerability, log into the application as an administrator and navigate to the Maintenance -> Category List page. Once there, create a new category and enter a script payload into the 'Category Name' field. After saving, the injected script will execute immediately. Refreshing the page or returning to the Category list will trigger the script execution again, confirming that the payload has been stored.