SourceCodester Gadget Works Online Ordering System Add New User cross site scripting
Description
A vulnerability has been found in SourceCodester Gadget Works Online Ordering System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /philosophy/admin/user/controller.php?action=add of the component Add New User. The manipulation of the argument U_NAME leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222862 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Gadget Works Online Ordering System 1.0 contains a stored XSS in the Add New User function via the U_NAME parameter.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Gadget Works Online Ordering System version 1.0. The flaw resides in the file /philosophy/admin/user/controller.php?action=add within the Add New User component. The U_NAME parameter is not sanitized before being stored, allowing arbitrary JavaScript to be injected. The vulnerability is classified as problematic (low severity) and was publicly disclosed via a bug report on GitHub [1].
Exploitation
An attacker needs administrative access to the system. The reference provides default admin credentials (username: janobe, password: admin) and details the steps: log in, navigate to Users, click Add New User, enter a malicious payload (e.g., `) into the Account Name (U_NAME`) field, and save the user [1]. No additional authentication or special network position is required beyond admin access.
Impact
Successful exploitation results in stored XSS, meaning the injected script executes in the browser of any authenticated admin who visits the user listing page (/philosophy/admin/user/index.php). The attacker can steal session cookies, perform actions on behalf of the victim, or deface the admin panel. The impact is limited to the admin interface, but it can lead to session hijacking and unauthorized administrative actions [1].
Mitigation
As of publication (March 2023), no official patch or fixed version has been released by SourceCodester. The vendor has not acknowledged the vulnerability. Users should restrict administrative access to trusted personnel, sanitize all user input in the controller, and consider applying a web application firewall rule to block XSS payloads. The CVE is not listed on the CISA KEV at this time [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2=1.0+ 1 more
- (no CPE)range: =1.0
- (no CPE)range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization of the U_NAME parameter allows stored cross-site scripting."
Attack vector
An attacker with admin panel access sends a POST request to /philosophy/admin/user/controller.php?action=add with a malicious payload in the U_NAME parameter [ref_id=1]. The payload, such as `<script>alert(document.cookie)</script>`, is stored in the database and executed when any user visits the user listing page at /philosophy/admin/user/index.php [ref_id=1]. The attack requires authentication as an admin user but can be initiated remotely over HTTP.
Affected code
The vulnerable endpoint is /philosophy/admin/user/controller.php?action=add, which handles the POST parameter U_NAME (Account Name) [ref_id=1]. The stored payload is rendered unsanitized on the user listing page at /philosophy/admin/user/index.php [ref_id=1].
What the fix does
No patch is provided in the available references. The advisory [ref_id=1] identifies the vulnerability as stored XSS in the U_NAME parameter but does not include a fix. Remediation would require sanitizing or encoding the U_NAME input before storage and escaping it on output, or implementing a Content Security Policy to prevent script execution.
Preconditions
- authAttacker must have valid admin credentials (username: janobe, password: admin) to access the admin dashboard
- networkAttacker must be able to reach the web application over the network
- inputThe application must not sanitize or encode the U_NAME input parameter
Reproduction
1. Log in to the admin dashboard at http://localhost/philosophy/admin/login.php with username `janobe` and password `admin`. 2. Navigate to Users, click "+ News", and select User. 3. In the "Account Name" field, enter the payload: `<script>alert(document.cookie)</script>`. 4. Click Save. 5. Visit http://localhost/philosophy/admin/user/index.php — the JavaScript payload executes [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/heitaoa999/bug_report/blob/main/vendors/janobe/Gadget%20Works%20Online%20Ordering%20System/XSS-1.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.