CVE-2019-25265

Vulnerability

Online Inventory Manager 3.2, an inventory management application built with AppGini [1], contains a stored cross-site scripting (XSS) vulnerability in the group description field of the admin edit groups section. The application fails to properly sanitize user input before rendering it in the group management page, allowing arbitrary JavaScript to be embedded [2][3].

Exploitation

To exploit this vulnerability, an attacker must have administrative access or at least the ability to edit groups in the admin panel. The attacker inserts a malicious payload into the description field using the edit groups page (pageEditGroup.php). When an admin subsequently views the groups page (pageViewGroups.php), the injected script executes automatically [2]. The exploit is straightforward, as demonstrated by a public proof-of-concept that triggers an alert displaying cookies [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to cookie theft, session hijacking, defacement, or other client-side attacks. Since the XSS is stored, it affects any user who visits the compromised groups page [2][3].

Mitigation

As of the advisory date, no official patch has been announced for this vulnerability in version 3.2. Users should upgrade to a newer version if available, or restrict access to the admin panel to trusted users. Additionally, input validation and output encoding should be applied to the group description field to prevent future XSS attacks [2][3].