SourceCodester Sales and Inventory System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the add_stock.php file, specifically within the 'msg' parameter of GET requests. The application does not properly sanitize user input, allowing remote attackers to inject arbitrary web scripts or HTML. This vulnerability could be exploited to execute malicious scripts in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal session cookies from an administrator. Additionally, it could lead to privilege escalation by allowing the attacker to perform actions on behalf of the admin.

Reproduction

To reproduce this vulnerability, deploy SourceCodester Sales and Inventory System 1.0 locally and log in as an administrator. Then, access the add_stock.php page and include a crafted URL that injects a script into the 'msg' parameter. For example, an image tag with an 'onerror' event could be used to execute a JavaScript alert.