CVE-2023-39708

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Free and Open Source Inventory Management System v1.0 [1]. The flaw resides in the "Add New" parameter under the "New Buy" section. An attacker can inject a crafted payload (e.g., ">) which is stored and later executed when the page is viewed. The software is available from SourceCodester [1].

Exploitation

An attacker must have access to the application's registration and login functionality. After registering and logging in, the attacker navigates to the New Buy section (/index.php?page=buy_product). In the "Add New" field, the attacker submits a payload such as "> and clicks Submit [2]. The payload is stored and will execute in the context of any user who views the affected page.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who accesses the New Buy section. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is stored (persistent) and does not require user interaction beyond viewing the page.

Mitigation

As of the publication date (2023-08-28), no official patch has been released. The vendor (SourceCodester) has not provided a fixed version. Users should consider input validation and output encoding to prevent XSS, or restrict access to the application until a patch is available. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.