SourceCodester Doctor Appointment System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Doctor Appointment System version 1.0. The issue resides in the registration page, specifically within the 'Email' input field of the '/register.php' file. Due to inadequate server-side input validation, an attacker can inject malicious JavaScript that is subsequently executed when an admin views the user management or doctors pages.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the victim's browser, potentially leading to the theft of administrative cookies and privileges.

Reproduction

To reproduce this vulnerability, register a new patient account through the sign-up page. Intercept the registration request and inject a script into the email field. Once the account is created, log in as an admin and access the user management or doctors pages to trigger the stored script execution.

Remediation

It is recommended to implement proper input validation and output encoding, particularly for user-generated content. Additionally, using secure development frameworks that automatically escape user input can help mitigate this vulnerability.