SourceCodester Sales and Inventory System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the add_supplier.php file, specifically within the 'msg' parameter of GET requests. The application does not adequately sanitize user input, enabling remote attackers to inject arbitrary web scripts or HTML via a crafted URL. This vulnerability could be exploited to steal session cookies from logged-in administrators or perform actions on their behalf.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal session cookies from an administrator. This could lead to unauthorized actions being performed on behalf of the admin.

Reproduction

To reproduce this vulnerability, deploy the SourceCodester Sales and Inventory System locally and log in as an administrator. Then, access the add_supplier.php page and include a crafted URL that injects a script into the 'msg' parameter. For example, an image tag with an 'onerror' event could be used to execute a JavaScript alert.