# Stored Cross-site Scripting (Stored XSS) in Sourcecodester Free and Open Source inventory management system 1.0 (`/app/action/add_staff.php` and `/pages/staff_list.php`)
# CVE-2024-9323
## Description and Impact:
- This vulnerability was found in Free and Open Source inventory management system project with version 1.0 in Sourecodester (https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html)
- The vulnerability was found in Staff function, when adding new staff, I can inject some malicious javascript code in `Name`, `Designation`, `Address` parameter.
- Application does not properly sanitize or validate the input, after adding new staff, if we access to `staff_list.php` function, it will trigger the malicious javascript code I just added before, lead to stored XSS
## Step to reproduce:
- First, access to the dashboard of the website

- Then click of Staff and choose Add Staff section

- At the `Name`, `Designation`, `Address` parameter, inject a malicious javascript code. For my example, I will use `<script>alert(1337)</script>` for `Name` parameter, `<script>alert(1338)</script>` for `Designation` parameter, and `<script>alert(1339)</script>` for `Address` parameter and then click `Add member` to save new staff.

- Finally, click on `Staff list` right below the `Add staff` to trigger stored XSS vulnerability


