| Title | SourceCodester My Food Recipe 1.0 Stored Cross Site Scripting |
|---|
| Description | A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the My Food Recipe application developed by SourceCodester. The vulnerability resides in the "Add Recipe" functionality, where user-supplied input is improperly sanitized before being stored and rendered, allowing arbitrary JavaScript to be executed in the context of other users' sessions.
Affected Field: recipe_name (input type: text)
Affected Endpoint: /endpoint/add-recipe.php (via #addRecipeModal modal form)
Input Vector: POST request via form submission
Impact: Stored JavaScript payload is triggered when the page loads or when the data is viewed.
Steps to Reproduce
Open the modal by clicking the Add Recipe button:
<button type="button" class="btn btn-add-food btn-secondary" data-toggle="modal" data-target="#addRecipeModal">Add Recipe</button>
In the Recipe Name field, insert the following payload:
<script>alert('PoC VulDB My Food Recipe')</script>
Fill the remaining fields with valid data (e.g., category, ingredients, procedure) and click Save changes.
Upon submitting the form, the payload is stored in the database.
Whenever the recipe data is rendered again (e.g., recipe listing or detail views), the JavaScript is executed, confirming a persistent (stored) XSS vulnerability.
|
|---|
| Source | ⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README4.md |
|---|
| User | RaulPACXXX (UID 84502) |
|---|
| Submission | 06/14/2025 19:39 (10 months ago) |
|---|
| Moderation | 06/19/2025 12:39 (5 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 313340 [SourceCodester My Food Recipe 1.0 Add Recipe Page /endpoint/add-recipe.php addRecipeModal Name cross site scripting] |
|---|
| Points | 20 |
|---|