Stored Cross-site Scripting (Stored XSS) in Sourcecodester Free and Open Source inventory management system 1.0 (/app/action/add_staff.php and /pages/staff_list.php)

CVE-2024-9323

Description and Impact:

• This vulnerability was found in Free and Open Source inventory management system project with version 1.0 in Sourecodester (https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html)
• The vulnerability was found in Staff function, when adding new staff, I can inject some malicious javascript code in Name, Designation, Address parameter.
• Application does not properly sanitize or validate the input, after adding new staff, if we access to staff_list.php function, it will trigger the malicious javascript code I just added before, lead to stored XSS

Step to reproduce:

• First, access to the dashboard of the website

• Then click of Staff and choose Add Staff section

• At the Name, Designation, Address parameter, inject a malicious javascript code. For my example, I will use <script>alert(1337)</script> for Name parameter, <script>alert(1338)</script> for Designation parameter, and <script>alert(1339)</script> for Address parameter and then click Add member to save new staff.

• Finally, click on Staff list right below the Add staff to trigger stored XSS vulnerability