SourceCodester Lost and Found Information System cross site scripting
Description
A vulnerability has been found in SourceCodester Lost and Found Information System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file admin/. The manipulation of the argument page leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-228883.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in SourceCodester Lost and Found Information System 1.0 via the `page` parameter in `admin/`.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in SourceCodester Lost and Found Information System version 1.0. The flaw resides in the admin/ file, where the page parameter is not properly sanitized before being reflected in the response. An attacker can inject arbitrary HTML and JavaScript by crafting a malicious URL. The vulnerability is classified as problematic and has been publicly disclosed [1].
Exploitation
An attacker can exploit this vulnerability by crafting a URL such as /php-lfis/admin/?page=" and tricking a victim into visiting it. No authentication is required, and the attack can be launched remotely. The exploit does not require any special network position; the victim simply needs to click the link or be redirected to it [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement of the admin interface, or theft of sensitive information such as cookies or credentials. The impact is limited to the victim's browser session and does not directly compromise the server [1].
Mitigation
As of the publication date (2023-05-12), no official patch or updated version has been released by SourceCodester. Users should implement input validation and output encoding for the page parameter, or restrict access to the admin/ directory. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- SourceCodester/Lost and Found Information Systemv5Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization of the `page` query parameter in the admin page allows reflected cross-site scripting."
Attack vector
An attacker can craft a URL such as `/php-lfis/admin/?page=PAYLOAD_XSS` where the `page` parameter contains a malicious payload like `">
Affected code
The vulnerability exists in the `admin/` page of the SourceCodester Lost and Found Information System 1.0. The `page` parameter in the URL query string is not sanitized before being rendered, allowing an attacker to inject arbitrary HTML and JavaScript [ref_id=1].
What the fix does
No patch has been published by the vendor. The advisory recommends that input to the `page` parameter be properly sanitized or encoded before being output in the response, preventing the execution of injected scripts [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP requests to the application (network access).
- authNo authentication is required to access the vulnerable admin page.
Reproduction
1. Visit the vulnerable page: `/php-lfis/admin/?page=PAYLOAD_XSS` 2. Send a GET request with the payload in the `page` parameter, e.g.: `GET /php-lfis/admin/?page=">
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/tht1997/CVE_2023/blob/main/Lost%20and%20Found%20Information%20System/CVE-2023-2667.mdmitreexploit
- vuldb.commitresignature
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.