SourceCodester Sales Tracker Management System cross site scripting
Description
A vulnerability was found in SourceCodester Sales Tracker Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save. The manipulation of the argument firstname/middlename/lastname/username leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-231164.
Affected products
1- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output encoding on user profile fields allows stored cross-site scripting."
Attack vector
An attacker with admin credentials (username: `admin`, password: `admin123`) can log in, navigate to the user management page, and click "Create New" to open the user creation form [ref_id=1]. The attacker then submits a POST request to `/classes/Users.php?f=save` with HTML anchor payloads (e.g., `
Affected code
The vulnerable endpoint is `/classes/Users.php?f=save` in the Sales Tracker Management System v1.0. The parameters `firstname`, `middlename`, `lastname`, and `username` are accepted without sanitization or encoding before being stored and later rendered in the admin user management page [ref_id=1].
What the fix does
No patch or official fix has been published by the vendor. The advisory does not include a code diff or remediation guidance. To close the vulnerability, the application must sanitize or HTML-encode the `firstname`, `middlename`, `lastname`, and `username` parameters before storing them, and/or escape output when rendering user data in the admin interface [ref_id=1].
Preconditions
- authAttacker must have valid admin credentials (username: admin, password: admin123)
- networkAttacker must be able to reach the admin user management page at /admin/?page=user/manage_user
- inputThe application must not sanitize or encode the vulnerable input parameters
Reproduction
1. Log in with admin credentials (username: `admin`, password: `admin123`). 2. Navigate to the user list and click "Create New" or visit `http://localhost/php-sts/admin/?page=user/manage_user`. 3. In the `firstname`, `middlename`, `lastname`, and `username` fields, enter payloads such as `
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.mdmitreexploit
- packetstormsecurity.com/files/172908/Sales-Tracker-Management-System-1.0-HTML-Injection.htmlmitrerelated
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.