SourceCodester Simple Cold Storage Management System Create User cross site scripting

Vulnerability

The vulnerability resides in the /csms/admin/?page=user/list endpoint of SourceCodester Simple Cold Storage Management System version 1.0, specifically within the Create User Handler. The application fails to sanitize input supplied to the First Name and Last Name parameters, leading to a stored cross-site scripting (XSS) issue. The public exploit demonstrates injection into these fields [1].

Exploitation

An attacker with network access to the admin panel can craft a malicious payload (e.g., JavaScript code) and submit it via the user creation form. No special privileges or authentication are required beyond access to the admin interface, as the form is exposed after login. The payload is stored on the server and executed in the context of any administrator viewing the user list [1].

Impact

Successful exploitation results in arbitrary JavaScript execution within the browser of any admin user who visits the user list page. This can lead to session hijacking, theft of admin credentials, or defacement. The confidentiality and integrity of the admin session are compromised, with potential access to sensitive management functions.

Mitigation

The vendor has not released a patch for this specific version as of this writing. The software may be unsupported (end-of-life). Mitigation requires manual input sanitization and output encoding of all user-supplied data, especially in the First Name and Last Name fields. Restricting access to the admin panel to trusted networks reduces exposure. No known KEV listing exists.