itsourcecode Electronic Judging System Cross-Site Scripting Vulnerability in Judges.php

A cross-site scripting (XSS) vulnerability has been identified in version 1.0 of the itsourcecode Electronic Judging System. The issue arises in the file '/admin/judges.php', where the 'fname' parameter is not properly validated or encoded, allowing attackers to inject malicious scripts. This vulnerability can be exploited remotely, with the injected scripts executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute scripts in the victim's browser. This could lead to theft of cookies, session tokens, or other sensitive information, as well as performing actions on behalf of the victim or redirecting them to malicious websites.

Reproduction

To reproduce this vulnerability, navigate to the '/admin/judges.php' file and include a script tag in the 'fname' parameter. The injected script will be executed in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, implement proper input validation and output encoding for the 'fname' parameter. Additionally, consider using a Content Security Policy (CSP) to restrict the execution of scripts.