SourceCodester Simple Cold Storage Management System Add New Storage cross site scripting

Vulnerability

A cross-site scripting (XSS) vulnerability exists in SourceCodester Simple Cold Storage Management System version 1.0. The flaw resides in the Add New Storage Handler component, where the Name parameter is not properly sanitized before being processed. An attacker can inject arbitrary JavaScript code through this parameter, leading to stored XSS. The vulnerability is classified as problematic and has been publicly disclosed [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication. The attack involves sending a crafted request to the Add New Storage Handler endpoint with malicious JavaScript embedded in the Name field. The injected script will be stored and executed when an administrator or other user views the affected page. The exploit has been published, demonstrating the attack vector [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page. The impact is limited to the browser session and does not provide direct server-side access.

Mitigation

As of the publication date (2022-10-17), no official patch or fixed version has been released by the vendor. Users are advised to implement input validation and output encoding for the Name parameter, or consider disabling the Add New Storage functionality until a fix is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.