SourceCodester SUP Online Shopping Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester SUP Online Shopping version 1.0. The issue resides in the admin/productedit.php file, where the productName parameter is not properly sanitized before being displayed. This flaw allows attackers to inject malicious JavaScript that is executed in the context of the user’s session, potentially leading to session hijacking and theft of sensitive information such as login credentials.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed when the affected page is viewed, leading to session hijacking and theft of user data.

Reproduction

To reproduce this vulnerability, send a POST request to the admin/productedit.php file with the productName parameter containing injected JavaScript, such as a script tag with an alert function. Include the necessary session cookie to maintain the user session.

Remediation

Users are advised to implement proper input validation and output encoding for user-supplied data, particularly in parameters that can be manipulated through the user interface. Additionally, consider using Content Security Policy headers to restrict the execution of scripts.