# Stored Cross-site Scripting (Stored XSS) in Sourcecodester Free and Open Source inventory management system 1.0 (`/app/action/add_staff.php` and `/pages/staff_list.php`) ## Description and Impact: - This vulnerability was found in Free and Open Source inventory management system project with version 1.0 in Sourecodester (https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html) - The vulnerability was found in Staff function, when adding new staff, I can inject some malicious javascript code in `Name`, `Designation`, `Address` parameter. - Application does not properly sanitize or validate the input, after adding new staff, if we access to `staff_list.php` function, it will trigger the malicious javascript code I just added before, lead to stored XSS ## Step to reproduce: - First, access to the dashboard of the website  - Then click of Staff and choose Add Staff section  - At the `Name`, `Designation`, `Address` parameter, inject a malicious javascript code. For my example, I will use `<script>alert(1337)</script>` for `Name` parameter, `<script>alert(1338)</script>` for `Designation` parameter, and `<script>alert(1339)</script>` for `Address` parameter and then click `Add member` to save new staff.  - Finally, click on `Staff list` right below the `Add staff` to trigger stored XSS vulnerability