SourceCodester Sales and Inventory System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the index.php file, where the application fails to properly sanitize the 'msg' parameter in GET requests. This lack of input validation allows remote attackers to inject arbitrary web scripts or HTML, which are executed in the context of the user's browser when they access a crafted URL.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the victim's browser. This could lead to session hijacking, phishing attacks, or performing actions on behalf of the user.

Reproduction

To reproduce this vulnerability, deploy SourceCodester Sales and Inventory System version 1.0 locally. Then, access the index.php file and include a crafted URL that injects a script via the 'msg' parameter. For example, an image tag with an 'onerror' attribute could be used to execute a JavaScript alert.