CVE-2023-39710

Vulnerability

Free and Open Source Inventory Management System v1.0 is vulnerable to multiple stored cross-site scripting (XSS) attacks [2]. The vulnerability exists in the Add Customer functionality, where the Name, Address, and Company parameters are not properly sanitized before being stored and later rendered. As a result, an attacker can inject arbitrary JavaScript payloads into these fields, which will execute in the browser of any user viewing the customer details. The affected version is v1.0, as referenced in the official description [1].

Exploitation

To exploit the vulnerability, an attacker must have network access to the inventory management system and register or log in as a user [2]. The attack is local, meaning the attacker interacts directly with the web application. The steps are: 1) navigate to the login page at /login.php, 2) click Register to create an account, 3) after redirection, go to the Sell section at /index.php?page=quick_sell, 4) click on "Add Customer", 5) enter a crafted payload such as "> into the Name, Address, and Company fields, and 6) click Submit. The payload is stored and subsequently executes whenever the customer record is viewed. No privileged access or user interaction beyond viewing the customer list is required for the payload to fire.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data displayed on the page (e.g., inventory details, user information). The impact is limited to the browser session of the authenticated user who views the compromised customer record. The attacker does not gain direct server-side control nor elevated privileges on the application itself, but the XSS could be used as a stepping stone for further client-side attacks.

Mitigation

As of the publication date (2023-09-01), no official patch or fixed version has been released for Free and Open Source Inventory Management System v1.0 [1][2]. The vendor, SourceCodester, has not provided a security update. As a workaround, administrators should implement input validation and output encoding for all user-supplied data, especially in the Name, Address, and Company fields of the Add Customer section. Additionally, consider deploying a Web Application Firewall (WAF) to filter XSS payloads. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.