SourceCodester Indian Invoicing System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Indian Invoicing System versions up to 1.0. The issue arises in the 'add_order.php' file within the Invoice Template Render Database-Backed component. The vulnerability allows for the injection of malicious scripts into the 'customer_name' field, which are executed when the invoice is viewed. This flaw can be exploited remotely, and the public proof of concept demonstrates its applicability.

Impact

Exploitation of this vulnerability allows injected scripts to be executed in the context of the victim's browser, potentially leading to session hijacking or other malicious actions.

Reproduction

To reproduce this vulnerability, send a POST request to '/Invoicing/add_order.php' with a crafted 'customer_name' value that includes a script payload, such as a script tag containing JavaScript code, such as an alert. Ensure that the 'PHPSESSID' cookie is included to maintain the session.

Remediation

It is recommended to encode all dynamic output before rendering it in HTML, sanitize and validate invoice-related fields at the input stage, and review invoice templates for similar output encoding issues.