SourceCodester Sales and Inventory System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the add_customer.php file, specifically within the 'msg' parameter of GET requests. The application does not properly sanitize user input, allowing remote attackers to inject arbitrary web scripts or HTML. This vulnerability could be exploited to execute malicious scripts in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal session cookies from an administrator. Additionally, it could lead to privilege escalation by allowing the attacker to perform actions on behalf of the admin.

Reproduction

To reproduce this vulnerability, deploy the Inventory System locally and log in as an administrator. Then, access the add_customer.php page and include a crafted URL that injects a script into the 'msg' parameter. For example, use an image tag with an 'onerror' event to execute a JavaScript alert.