CVE-2023-39712
Description
Multiple cross-site scripting (XSS) vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the Add New Put section.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple stored XSS vulnerabilities in Free and Open Source Inventory Management System v1.0 allow attackers to inject arbitrary scripts via the Name, Address, and Company parameters.
Vulnerability
The Free and Open Source Inventory Management System v1.0 [1] is vulnerable to multiple stored cross-site scripting (XSS) attacks. The vulnerability exists in the "Add New Put" section under the supplier page, where the Name, Address, and Company input fields are not properly sanitized. An attacker can inject arbitrary web scripts or HTML via these parameters, which are then stored and executed when the page is viewed.
Exploitation
An attacker must first register and log in to the application. Then, navigate to the supplier section at index.php?page=suppliar and click "Add New". In the Name, Address, and Company fields, the attacker inputs a payload such as ">. Upon submission, the payload is stored and executed in the context of any user viewing the supplier records [2].
Impact
Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the browser of any user who accesses the affected supplier page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack requires no special privileges beyond a registered user account.
Mitigation
As of the publication date, no official patch or updated version has been released to address these XSS vulnerabilities. The vendor has not provided a fixed version or workaround [1][2]. Users should consider applying input validation and output encoding manually or disabling the affected functionality until a fix is available.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Free and Open Source Inventory Management System/Free and Open Source Inventory Management Systemdescription
- Range: v1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output encoding in the Name, Address, and Company parameters allows stored/reflected XSS."
Attack vector
An attacker registers an account on the application, navigates to the Supplier section, and clicks "Add New" to reach the vulnerable form. The attacker injects a crafted payload such as `">
Affected code
The vulnerability exists in the "Add New Put" section of the Suppliar (Supplier) page at `/ample/index.php?page=suppliar` within the Free and Open Source Inventory Management System v1.0. The Name, Address, and Company input fields lack proper sanitization before reflecting user-supplied data back to the page [ref_id=1].
What the fix does
No patch or official fix is included in the bundle. The advisory does not specify any remediation steps from the vendor. To close this vulnerability, the application should sanitize and encode all user-supplied input in the Name, Address, and Company fields before rendering them in the HTML response, and apply output encoding consistent with the context (e.g., HTML entity encoding) [ref_id=1].
Preconditions
- authAttacker must have a registered account on the application
- inputAttacker must navigate to the Supplier section and access the Add New form
- networkApplication must be reachable over the network (local network per advisory)
Reproduction
1. Visit `http://localhost/ample/login.php` and click "Register" to create an account. 2. After registration, navigate to `http://localhost/ample/index.php?page=suppliar` and click "Add New". 3. In the Name, Address, and Company fields, inject the payload `">
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.