CVE-2023-39714
Description
Multiple cross-site scripting (XSS) vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the Add New Member section.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple stored XSS vulnerabilities in Free and Open Source Inventory Management System v1.0 allow attackers to inject arbitrary web scripts via Name, Address, and Company fields.
Vulnerability
Free and Open Source Inventory Management System v1.0 [1] contains multiple stored cross-site scripting (XSS) vulnerabilities in the Add New Member section under the Suppliar (Supplier) page. The Name, Address, and Company parameters are not sanitized before being stored and later displayed, allowing injection of arbitrary HTML and JavaScript. The vulnerability is reachable through the registration and supplier management workflows.
Exploitation
An attacker must first register an account or have access to the registration page. After logging in, the attacker navigates to the Suppliar section and clicks "Add New Member". In the Name, Address, or Company fields, the attacker injects a payload such as "> and submits the form. The payload is stored and subsequently executed when any user (e.g., an administrator) views the member list, triggering the XSS [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive data, or further attacks against the application and its users. The impact depends on the privileges of the victim; an administrator compromise could result in full application control.
Mitigation
As of the publication date, no official patch has been released by the vendor. The software is provided as open source, but no update addressing this vulnerability is available. Users should implement input validation and output encoding for all user-supplied data, especially in the affected fields. Additionally, consider using a Web Application Firewall (WAF) to filter malicious payloads. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Free and Open Source Inventory Management System/Free and Open Source Inventory Management Systemdescription
- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stored cross-site scripting (XSS) due to insufficient sanitization of user-supplied input in the Name, Address, and Company fields."
Attack vector
An attacker registers an account on the application, navigates to the Supplier section at `/index.php?page=suppliar`, and clicks "Add New Member" [ref_id=1]. The attacker injects a crafted payload such as `"><script>alert(123)</script>` into the Name, Address, or Company parameters and submits the form [ref_id=1]. The payload is stored and later reflected in the browser of any user who views the affected member entry, resulting in arbitrary JavaScript execution [ref_id=1].
Affected code
The advisory identifies the Supplier section at `/index.php?page=suppliar` and the "Add New Member" form as the vulnerable code path [ref_id=1]. The Name, Address, and Company input fields lack sanitization, allowing stored XSS payloads [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix; however, the remediation would require proper input validation and output encoding on the Name, Address, and Company fields before storing or rendering them. Developers should apply context-appropriate escaping (e.g., HTML entity encoding) and consider using a Content Security Policy to mitigate XSS risks.
Preconditions
- networkAttacker must have network access to the application login page
- authAttacker must register an account and log in
- inputAttacker must navigate to the Supplier section and access the Add New Member form
Reproduction
1. Visit http://localhost/ample/login.php and click "Register" to create an account. 2. After registration, navigate to http://localhost/ample/index.php?page=suppliar and click "Add New Member". 3. In the Name, Address, and Company fields, inject the payload `"><script>alert(123)</script>`. 4. Click Submit. The payload executes, reflecting the value 123 [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.