SourceCodester Sales and Inventory System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the 'update_details.php' file, where the application fails to properly sanitize the 'website' parameter in POST requests. This lack of input validation allows authenticated attackers to inject arbitrary web scripts or HTML. The injected content is stored in the database and executed whenever the store details page is accessed, creating a persistent XSS risk.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the store details page. This could lead to session hijacking, defacement of the settings page, or other malicious actions that can be performed with the user's privileges.

Reproduction

To reproduce this vulnerability, log into the application as an administrator and navigate to the 'Store Setting' or 'Update Details' page. In the 'WEBSITE' input field, enter a script payload, such as a script tag containing JavaScript code, and submit the form. The injected script will execute immediately when the 'Store Details' page is viewed.