SourceCodester Sales and Inventory System Cross-Site Scripting Vulnerability in Delete Action

A reflected cross-site scripting (XSS) vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the delete.php file, where the application fails to properly sanitize the GET parameter 'id' before reflecting it in the response. This vulnerability allows authenticated attackers to execute arbitrary JavaScript in the browsers of victims, potentially leading to session hijacking.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal the session cookies of administrators. This could lead to privilege escalation by executing actions on behalf of the administrator, such as modifying system settings or performing unauthorized deletions.

Reproduction

To reproduce this vulnerability, log into the application as an administrator. Then, access the delete.php file with a crafted URL that includes a malicious payload in the 'id' parameter. The payload will be executed in the context of the victim's browser, demonstrating the cross-site scripting vulnerability.