SourceCodester Pizzafy Ecommerce System Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Pizzafy Ecommerce System version 1.0. The issue arises in the file '/admin/index.php', where the 'page' parameter is not properly sanitized before being displayed. This lack of validation allows attackers to inject malicious JavaScript that is executed in the context of the user’s session. The vulnerability can be exploited remotely, potentially leading to session hijacking and theft of sensitive information such as cookies and login credentials.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed immediately in the context of the user.

Reproduction

To reproduce this vulnerability, send a GET request to '/admin/index.php' with a crafted 'page' parameter that includes JavaScript payloads. The injected script will be executed as soon as the page is loaded.

Remediation

Users are advised to implement proper input validation and output encoding for user-supplied data. Additionally, consider using Content Security Policy (CSP) to restrict the execution of scripts.