Code-Projects Accounting System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Accounting System version 1.0. The issue resides in the 'costumer_name' parameter of the '/my_account/add_costumer.php' file within the Web Application Interface component. The vulnerability arises because the application fails to properly sanitize or encode user input before it is saved to the database and subsequently displayed in the web interface. This flaw allows attackers to inject malicious JavaScript that is executed when the stored data is viewed, potentially leading to session hijacking and unauthorized actions on behalf of users.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could result in session hijacking, theft of authentication cookies, and unauthorized actions performed on behalf of other users.

Reproduction

To reproduce this vulnerability, send a POST request to '/my_account/add_costumer.php' with a payload in the 'costumer_name' parameter that includes malicious JavaScript, such as a script tag or an equivalent injection that exploits the lack of input validation. Once the payload is submitted, it will be stored in the database and executed when the corresponding customer record is viewed.

Remediation

Users are advised to sanitize and validate all user inputs, encode outputs using appropriate functions before rendering user-controlled data, and implement a Content Security Policy (CSP).