| Título | code-projects Accounting System In PHP 1.0 Cross Site Scripting |
|---|
| Descripción | The Accounting System in PHP 1.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the costumer_name parameter processed by the /my_account/add_costumer.php endpoint. The vulnerability occurs because the application does not properly sanitize or encode user-supplied input before storing it in the database and rendering it within the web application interface.
During the customer registration process, the application accepts several user-controlled parameters such as costumer_name, mob, and village. The value provided in the costumer_name field is stored in the backend database and later displayed on application pages without proper output encoding. Because the application directly renders this stored value in HTML responses, attackers can inject malicious JavaScript code into the field.
An attacker can exploit this issue by submitting a crafted payload, such as <details/open/ontoggle=prompt(origin)>, within the costumer_name parameter. Once the malicious input is stored in the database, the payload is executed automatically in the browser of any user who accesses the page where the stored customer data is displayed. This demonstrates a stored XSS vulnerability because the injected script persists within the application and is executed whenever the stored data is rendered.
Successful exploitation may allow attackers to execute arbitrary JavaScript in the context of the affected application. This could lead to session hijacking, theft of authentication cookies, unauthorized actions performed on behalf of authenticated users, or the injection of malicious content into the application interface. The root cause of this vulnerability is the absence of proper input validation and output encoding when handling user-supplied data. |
|---|
| Fuente | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Accounting%20System%20in%20PHP%201.0%20-%20Stored%20Cross-Site%20Scripting%20(XSS)%20in%20costumer_name%20Parameter.md |
|---|
| Usuario | AhmadMarzook (UID 96211) |
|---|
| Sumisión | 2026-03-09 18:11 (hace 28 días) |
|---|
| Moderación | 2026-03-25 15:24 (16 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 353139 [code-projects Accounting System 1.0 Web Application Interface add_costumer.php costumer_name secuencias de comandos en sitios cruzados] |
|---|
| Puntos | 20 |
|---|