SourceCodester Resort Reservation System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Resort Reservation System version 1.0, specifically within the Reservation Management module. The issue arises because the application does not properly sanitize or encode user input in reservation fields such as Fullname and Remarks. This lack of input validation allows malicious JavaScript to be injected, stored in the database, and executed when the reservation data is viewed in administrative interfaces. As a result, an authenticated user could potentially execute arbitrary JavaScript in the context of other users, including administrators, leading to serious consequences such as session hijacking, privilege escalation, and unauthorized modifications of reservation data.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of users viewing the affected reservation records. This could result in session hijacking, privilege escalation, unauthorized changes to reservation data, and potentially taking over user accounts.

Reproduction

To reproduce this vulnerability, navigate to the 'Reservation List' and select 'Add/Edit Reservation'. Inject a script payload into the 'Fullname' or 'Remarks' field and save the reservation. The injected script will execute automatically when the reservation is accessed through the 'Reservation List' or the editing interface.

Remediation

To address this vulnerability, implement proper output encoding for all user-controlled data before rendering it in the application. Additionally, validate input to restrict HTML tags where not necessary. Consider applying a Content Security Policy to mitigate the impact of any potential script injection.