SourceCodester Sanitization Management System cross site scripting

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the SourceCodester Sanitization Management System, accessible via the file /php-sms/admin/. The vulnerable function does not properly sanitize user input for the page argument, allowing injection of arbitrary HTML and JavaScript. The issue affects the system as disclosed in October 2022 [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by crafting a malicious URL that includes a script payload in the page parameter. If a victim visits this specially crafted URL, the injected script executes in the context of their browser session [1].

Impact

Successful exploitation leads to reflected XSS, enabling the attacker to execute arbitrary JavaScript in the victim's browser. This can be used to steal session cookies, deface the page, or perform actions on behalf of the victim within the application [1].

Mitigation

No official fix or patched version has been released by SourceCodester as of the publication date. Users should validate and sanitize the page parameter input. Until a vendor-supplied patch is available, implementing a Web Application Firewall (WAF) rule to block XSS payloads or applying proper output encoding is recommended [1].