SourceCodester Simple Cold Storage Management System My Account cross site scripting

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Simple Cold Storage Management System version 1.0. The flaw resides in the First Name argument of the My Account component, where user-supplied input is insufficiently sanitized before being stored and later rendered in the application. This allows an attacker to inject arbitrary JavaScript or HTML that persists in the system. The vulnerability is cataloged as VDB-211201 [1].

Exploitation

An attacker can exploit this vulnerability remotely without prior authentication. The attacker needs to submit a crafted payload (e.g., ``) via the First Name field during a profile update or similar operation on the My Account page. Once the input is saved, the malicious script executes automatically in the browsers of other administrators or users who view the affected profile or page. A proof-of-concept has been publicly disclosed [1].

Impact

Successful exploitation results in persistent execution of arbitrary JavaScript within the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attacker does not gain server-side control but can compromise the confidentiality and integrity of user data on the vulnerable instance.

Mitigation

As of the publication date (2022-10-18), no official patch or fixed version has been released by SourceCodester for this issue. Administrators should review the application code and implement proper input validation and output encoding, especially for the First Name field. The software is likely end-of-life or unsupported; upgrading to a maintained alternative is recommended. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.