SourceCodester Sales and Inventory System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the add_purchase.php file, specifically within the 'msg' parameter of GET requests. The application does not properly sanitize user input, allowing remote attackers to inject arbitrary web scripts or HTML. This vulnerability could be exploited to execute malicious scripts in the context of the user's session.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal session cookies from an administrator. Additionally, it could lead to privilege escalation by allowing the attacker to perform actions on behalf of the admin.

Reproduction

To reproduce this vulnerability, log into the application as an administrator. Then, access the add_purchase.php page and include a crafted URL that injects a script into the 'msg' parameter. The injected script will be executed when the page is loaded.