CVE-2023-39709
Description
Multiple cross-site scripting (XSS) vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the Add Member section.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple stored XSS vulnerabilities in Free and Open Source Inventory Management System v1.0 allow attackers to inject arbitrary web scripts via crafted payloads in Name, Address, and Company parameters.
Vulnerability
Free and Open Source Inventory Management System version 1.0 (PHP source code) contains multiple stored cross-site scripting (XSS) vulnerabilities in the Add Member section (Suppliar page). The Name, Address, and Company fields do not sanitize user input, allowing injection of arbitrary HTML or JavaScript payloads [1][2].
Exploitation
An attacker must first register as a user and log in to the application. Then, they navigate to the Suppliar section at /index.php?page=suppliar and click "Add New Member". By injecting a payload such as "> into the Name, Address, or Company fields and submitting the form, the payload is stored and subsequently executed in the victim's browser when the member data is viewed [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user viewing the affected member records. This can lead to session hijacking, defacement, or redirection to malicious sites. The compromise occurs within the user's browser session with the same privileges as the logged-in user [2].
Mitigation
As of publication, no official patch or fixed version has been released by the vendor. The software is available from SourceCodester [1]. Administrators should manually sanitize and escape output for the three vulnerable parameters in the code, or consider replacing the system until a fix is provided. Application-level input validation and output encoding are recommended as workarounds [2][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Free and Open Source Inventory Management System/Free and Open Source Inventory Management Systemdescription
- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization on the Name, Address, and Company parameters in the Add Member form allows stored XSS."
Attack vector
An attacker first registers or logs into the application at /ample/login.php, then navigates to the Suppliar section at /ample/index.php?page=suppliar [ref_id=1]. The attacker fills the Name, Address, and Company fields with a crafted payload such as `">
Affected code
The vulnerable application is the Free and Open Source Inventory Management System v1.0 from sourcecodester.com. The flaw resides in the "Add Member" section under the "Suppliar" page (suppliar.php), where the Name, Address, and Company parameters are rendered without sanitization [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation guidance from the vendor. To close the vulnerability, the application must sanitize or encode user-supplied input in the Name, Address, and Company fields before rendering them in the browser, preventing arbitrary HTML or JavaScript injection.
Preconditions
- authAttacker must have a valid user account (registration is available at /ample/login.php)
- networkAttacker must be able to access the Suppliar section and the Add Member form
- inputThe application does not sanitize the Name, Address, or Company input fields
Reproduction
1. Visit http://localhost/ample/login.php and click "Register" to create an account. 2. Log in and navigate to http://localhost/ample/index.php?page=suppliar. 3. Click "Add New Member" and enter the payload `">
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.