CVE-2023-36159
Description
Cross Site Scripting (XSS) vulnerability in sourcecodester Lost and Found Information System 1.0 allows remote attackers to run arbitrary code via the First Name, Middle Name and Last Name fields on the Create User page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lost and Found Information System 1.0 has a stored XSS in Create User fields, allowing remote attackers to execute arbitrary JavaScript.
Vulnerability
A stored Cross-Site Scripting (XSS) vulnerability exists in sourcecodester Lost and Found Information System 1.0, specifically in the Create User page. The application fails to sanitize user input in the First Name, Middle Name, and Last Name fields before storing them in the database and rendering them in the management site. The affected version is the one hosted on SourceCodester, dated May 1, 2023 [1]. An attacker with access to the Create User functionality can inject arbitrary JavaScript code into these fields, which will then be executed in the browser of any user who views the user list or related pages.
Exploitation
An attacker must have valid credentials to access the management site (Admin or Staff role) to reach the Create User page. Alternatively, if user registration is open to unauthenticated users (not described in the references), the attack surface is broader. The attacker crafts a payload (e.g., ``) and submits it in one of the vulnerable fields. The payload is stored in the database. When an administrator or another user browses to a page that displays the user list (e.g., Manage Users), the injected script executes in their browser. No additional user interaction beyond viewing the affected page is required.
Impact
A successful XSS attack allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attacker can potentially gain the privileges of the victim user (administrator or staff), leading to full compromise of the management site and its data.
Mitigation
The vendor has not released a patched version as of the publication date (2023-08-03) [1]. Users should apply input validation and output encoding for all user-supplied fields, especially in the Create User form. Implementing a Content Security Policy (CSP) can reduce the impact. Until a fix is available, restrict access to the Create User page to trusted administrators only, and consider manual review of user entries.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- sourcecodester/Lost and Found Information Systemdescription
- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.