SourceCodester Lost and Found Information System Contact Form cross site scripting
Description
A vulnerability was found in SourceCodester Lost and Found Information System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file classes/Master.php?f=save_inquiry of the component Contact Form. The manipulation of the argument fullname/contact/message leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-228887.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lost and Found Information System 1.0 suffers from a stored XSS vulnerability in the Contact Form, allowing remote attackers to inject arbitrary JavaScript.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Lost and Found Information System version 1.0. The issue occurs in the classes/Master.php?f=save_inquiry file of the Contact Form component. The parameters fullname, contact, and message are not properly sanitized before being processed and stored, leading to the injection of arbitrary HTML and JavaScript. The vulnerability is classified as CWE-79. [1]
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted POST request to /php-lfis/classes/Master.php?f=save_inquiry with malicious payloads in the fullname, contact, or message fields. The request is made via the Contact Form page (/?page=contact). No authentication is required. The proof-of-concept shows a simple POST request with multipart form data containing the XSS payload. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser when the stored data is viewed. This could lead to session hijacking, defacement, or theft of sensitive information. The impact is considered problematic, with potential for data integrity and confidentiality breaches. [1]
Mitigation
As of the publication date (12 May 2023), no official patch has been released. The vendor has not provided a fix. Users should consider applying input validation and output encoding to the affected parameters, or disable the Contact Form until a patch is available. The vulnerability has been publicly disclosed and may be used in attacks. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- SourceCodester/Lost and Found Information Systemv5Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `save_inquiry` function allows user-controllable `fullname`, `contact`, and `message` parameters to be reflected in output without neutralization, leading to cross-site scripting [CWE-79] [ref_id=1]."
Attack vector
An attacker can remotely trigger the vulnerability by visiting the contact page at `/php-lfis/?page=contact` and submitting a crafted POST request to `/php-lfis/classes/Master.php?f=save_inquiry` [ref_id=1]. The payload is injected via the `fullname`, `contact`, or `message` form fields, which are not neutralized before being output as a web page served to other users [ref_id=1]. This leads to stored or reflected cross-site scripting (XSS) [CWE-79].
Affected code
The vulnerability exists in the file `classes/Master.php?f=save_inquiry` of the Contact Form component [ref_id=1]. The arguments `fullname`, `contact`, and `message` are not sanitized before being stored or reflected [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation guidance [ref_id=1]. To close the vulnerability, the application should sanitize or escape the `fullname`, `contact`, and `message` parameters before storing them or rendering them in a web page, preventing arbitrary HTML/JavaScript injection.
Preconditions
- networkThe attacker must be able to reach the contact form page (/php-lfis/?page=contact) over HTTP
- authNo authentication is required; the contact form is publicly accessible
- inputThe attacker submits a POST request with malicious JavaScript payloads in the fullname, contact, or message fields
Reproduction
1. Visit the vulnerable page at `/php-lfis/?page=contact` [ref_id=1]. 2. Submit a POST request to `/php-lfis/classes/Master.php?f=save_inquiry` with a malicious payload (e.g., `
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/tht1997/CVE_2023/blob/main/Lost%20and%20Found%20Information%20System/CVE-2023-2671.mdmitreexploit
- vuldb.commitresignature
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.