SourceCodester Inventory System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Inventory System version 1.0. The issue resides in the view_sales.php file, where the application fails to properly sanitize the 'limit' parameter in GET requests. This lack of input validation allows remote attackers to inject arbitrary web scripts or HTML. The vulnerability can be exploited by targeting logged-in administrators, potentially leading to session cookie theft or unauthorized actions on their behalf.

Impact

Exploitation of this vulnerability allows for session hijacking by stealing administrator session cookies. Additionally, it could lead to privilege escalation by allowing attackers to perform actions on behalf of the admin.

Reproduction

To reproduce this vulnerability, deploy SourceCodester Inventory System 1.0 locally and log in as an administrator. Then, access the view_sales.php page and include a crafted 'limit' parameter in the URL that injects a script, such as an alert payload. When the page is loaded, the injected script will execute, demonstrating the cross-site scripting vulnerability.