CVE-2023-39707
Description
A stored cross-site scripting (XSS) vulnerability in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Add Expense parameter under the Expense section.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Free and Open Source Inventory Management System v1.0 allows attackers to inject arbitrary scripts via the Add Expense parameter.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Free and Open Source Inventory Management System v1.0 [1]. The flaw resides in the Add Expense parameter under the Expense section. User-supplied input is not properly sanitized before being stored, allowing an attacker to inject arbitrary web scripts or HTML. The vulnerability is present in version 1.0 as provided by SourceCodester [1].
Exploitation
An attacker must first register and log in to the application [2]. After authentication, they navigate to the Expense section (/index.php?page=expense) and click "Add New". In the Add Expense field, the attacker injects a payload such as "> and submits the form [2]. The payload is stored and executed when any user views the expense list.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page. The attack is stored, meaning every user who accesses the affected expense page will trigger the payload.
Mitigation
As of the publication date (2023-08-25), no official patch or fixed version has been released by the vendor [1]. The application is no longer actively maintained? The references do not indicate a fix. Users should implement input validation and output encoding for all user-supplied data, especially in the Add Expense field. Consider using a content security policy (CSP) to mitigate script execution. Until a patch is available, avoid using the expense feature with untrusted users.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Free and Open Source Inventory Management System/Free and Open Source Inventory Management Systemdescription
- Range: = v1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stored cross-site scripting (XSS) due to insufficient sanitization of user-supplied input in the Add Expense field."
Attack vector
An attacker first registers an account and logs into the application [ref_id=1]. They navigate to the Expense section at /ample/index.php?page=expense and use the "Add Expense" feature to inject a crafted payload such as `"><script>alert(123)</script>` into the expense name field [ref_id=1]. When the expense record is submitted and later viewed by any user, the injected script executes in the browser, enabling arbitrary web script or HTML execution [ref_id=1].
Affected code
The bundle does not identify specific source files or functions. The vulnerability exists in the Add Expense functionality under the Expense section of the Free and Open Source Inventory Management System v1.0 [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not provide remediation guidance beyond the disclosure of the vulnerability. The vendor should implement proper input validation and output encoding on the Add Expense parameter to prevent script injection.
Preconditions
- authAttacker must have a registered account and be logged into the application.
- inputAttacker must have access to the Expense section's Add Expense form.
Reproduction
1. Visit http://localhost/ample/login.php and click "Register" to create an account. 2. After registration, navigate to http://localhost/ample/index.php?page=expense. 3. Click "Add New" and enter the payload `"><script>alert(123)</script>` into the Add Expense field. 4. Click "Add Expense" then "Submit". 5. The script executes, displaying an alert with the value 123 [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.