| Title | codeastro.com Web Application 1.0 Cross-Site Scripting (XSS) |
|---|
| Description | Vulnerability Report:
Introduction:
This document outlines the identification and details of a Cross-Site Scripting (XSS) vulnerability discovered in the POS and Inventory Management System in PHP CodeIgniter.
System Overview:
Project Name: POS and Inventory Management System in PHP CodeIgniter
Version/Build: Alger Makiputin
Project Link: https://codeastro.com/pos-and-inventory-management-system-in-php-codeigniter-with-source-code/
Vulnerability Details:
Description: Multiple instances of Cross-Site Scripting (XSS) vulnerabilities were found in the "new_item" parameter of the POS and Inventory Management System.
Affected Area: New Item Creation Page
Potential Impact: Allows an attacker to inject and execute arbitrary scripts on users' browsers, posing a significant XSS risk.
Severity: High
Mitigation Steps:
Input Validation and Output Encoding:
Implement robust input validation and output encoding for user inputs on the "new_item" page.
Content Security Policy (CSP):
Apply Content Security Policy (CSP) headers to mitigate XSS risks.
Reproduction Steps:
Access the URL: http://localhost/POS IMS-CI/new_item
Input <img src/onerror=prompt(8)> in the relevant field.
Submit the form.
Observe the execution of the payload.
Attachments:
Reporter Information:
Name: ABHISHEK K A
Contact Information: abhishekkallumada001@gmail.com
Role: Cybersecurity Researcher
Project Details:
Project Name: POS and Inventory Management System in PHP CodeIgniter
Version/Build: Alger Makiputin
Project Link: https://codeastro.com/pos-and-inventory-management-system-in-php-codeigniter-with-source-code/
Source of Project:
The POS and Inventory Management System project was obtained from codeastro.com.
Discovery Date:
06/01/2024
Your Commitment:
Responsible Disclosure:
I commit to responsible disclosure and will not publicly disclose the vulnerability until it has been addressed.
Preferred Communication Method:
Contact Information: abhishekkallumada001@gmail.com
Timeline:
The vulnerability was discovered on 06/01/2024. |
|---|
| Source | ⚠️ https://drive.google.com/file/d/1_CoeXcCC8fXzKJO-Xvjuq1qYtf8QKHaM/view?usp=sharing |
|---|
| User | ABHISHEK K.A (ID 61005) |
|---|
| Submission | 2024-01-09 07:50 (4 months ago) |
|---|
| Moderation | 2024-01-11 13:17 (2 days later) |
|---|
| Status | Przyjęty |
|---|
| VulDB Entry | 250441 |
|---|