| Title | SourceCodester Web-based Pharmacy Product Management System 1.0 Cross Site Scripting |
|---|
| Description | A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Web-based Pharmacy Product Management System version 1.0. The vulnerability affects the profile update functionality in edit-profile.php, specifically the "fullname" parameter.
The application does not properly sanitize or encode user-supplied input before storing it in the database. An authenticated attacker can inject malicious JavaScript into the fullname field. The payload is stored persistently and rendered within the global application layout (e.g., header or navigation area).
As a result, the injected script executes automatically on every page load across the application after profile modification. Successful exploitation allows execution of arbitrary JavaScript in the context of authenticated users, potentially leading to session hijacking, privilege escalation, and unauthorized actions. |
|---|
| Source | ⚠️ https://gist.github.com/Denilxavier/6b21cb788f7f545179286f6c44989448 |
|---|
| User | Denil Xavier (UID 95932) |
|---|
| Submission | 02/26/2026 16:39 (2 months ago) |
|---|
| Moderation | 03/07/2026 21:51 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 349744 [SourceCodester Web-based Pharmacy Product Management System 1.0 edit-profile.php fullname cross site scripting] |
|---|
| Points | 20 |
|---|