SourceCodester Indian Invoicing System Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Indian Invoicing System version 1.0. The issue arises in the category management page, specifically within the 'msg' parameter of the 'category.php' file. User inputs are not properly sanitized before being displayed, allowing for the injection of malicious scripts. This vulnerability can be exploited remotely, and public proof-of-concept evidence is available.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a GET request to '/InvoicingSystem_PHP/Invoicing/category.php' with a 'msg' parameter containing a script tag, such as '<script>alert("XSS-Category")</script>'. The injected script will execute immediately in the browser.

Remediation

To address this vulnerability, output should be escaped using 'htmlspecialchars()' to prevent script injection. Additionally, all SQL queries should be executed using prepared statements to eliminate the risk of SQL injection.