SourceCodester Pharmacy Sales and Inventory System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The issue arises in the 'Customer' function of the 'index.php' file when the 'name' parameter is manipulated. This vulnerability allows remote attackers to inject malicious scripts that are executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary scripts in the context of the user's browser, potentially leading to the theft of cookies, session tokens, or other sensitive information. This could also allow attackers to perform actions on behalf of the user, deface web pages, redirect users to malicious sites, or gain control over the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the 'index.php' page and include a script payload in the 'name' parameter. The injected script will be executed in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to encode output properly, validate and filter input, implement a Content Security Policy, set secure and HttpOnly flags for cookies, and conduct regular security audits.