| Título | code-projects Simple Cafe Ordering System published October 30, 2025 Cross Site Scripting |
|---|
| Descripción | ## Summary
The vulnerability exists in the **output rendering** component due to improper input validation and sanitization, allowing reflected Cross-Site Scripting (XSS) attacks.
## Root Cause
The application fails to sanitize user-controlled input that is passed to the page rendering function. Specifically, fields like product names and usernames are fetched from the database and directly echoed to the page without using output encoding functions like `htmlspecialchars()`. This creates a potential for attackers to inject malicious JavaScript.
## Reproduction
1. **Login as user:** Log in as any regular user.
2. **Send the following request:** POST request with a manipulated product name or username, such as:
POST /add_to_cart HTTP/1.1
Content-Type: application/x-www-form-urlencoded
product_name="><script>alert('XSS Exploit');</script>
3.**Access the product page: **where the input is rendered, such as the shopping cart or product detail page. The injected JavaScript will execute when another user views the page.
##Impact
This allows an attacker to execute arbitrary JavaScript in the context of another user's browser. The attacker could steal session cookies, perform actions on behalf of the user, or redirect them to malicious websites, leading to significant security risks such as session hijacking or phishing. |
|---|
| Fuente | ⚠️ https://github.com/shenxianyuguitian/cafeorder_vuln_XSS/blob/main/README.md |
|---|
| Usuario | xuanyuesanshi (UID 88126) |
|---|
| Sumisión | 2025-10-30 12:48 (hace 7 meses) |
|---|
| Moderación | 2025-11-14 17:24 (15 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 332500 [code-projects Simple Cafe Ordering System 1.0 /add_to_cart product_name secuencias de comandos en sitios cruzados] |
|---|
| Puntos | 20 |
|---|