SourceCodester Inventory System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Inventory System version 1.0. The issue resides in the 'view_stock_availability.php' file, specifically within the 'limit' parameter of GET requests. The application does not properly sanitize user input, allowing remote attackers to inject arbitrary web scripts or HTML. This vulnerability can be exploited to target logged-in administrators, potentially leading to session cookie theft or unauthorized actions performed on their behalf.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal cookies from an administrator, and privilege escalation, enabling the attacker to perform actions within the system as an administrator.

Reproduction

To reproduce this vulnerability, deploy SourceCodester Inventory System 1.0 locally and log in as an administrator. Then, access the 'view_stock_availability.php' page and include a crafted 'limit' parameter in the URL that injects a script, such as an alert payload. When the page is loaded, the injected script will execute, demonstrating the cross-site scripting vulnerability.