Code-Projects Online Food Ordering System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Online Food Ordering System version 1.0. The issue resides in the 'cuisines' parameter of the '/dbfood/food.php' file. This vulnerability allows for the injection of malicious JavaScript, which is executed when the stored data is viewed. The flaw arises from inadequate input sanitization and output encoding, enabling injected scripts to run in the context of the user.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user, potentially leading to session hijacking, cookie theft, unauthorized actions within the application, and the injection of malicious content into the application interface.

Reproduction

To reproduce this vulnerability, upload a food item through the application's food management feature. Intercept the request and inject a JavaScript payload into the 'cuisines' parameter. Once the item is saved, the injected script will execute automatically when the food listing is viewed.

Remediation

It is recommended to properly encode user input before displaying it in HTML, validate and sanitize input before database storage, and implement a Content Security Policy to restrict the execution of harmful scripts.