VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 14, 2023· Updated Aug 2, 2024

SourceCodester Medicine Tracker System index.php cross site scripting

CVE-2023-5581

Description

A vulnerability classified as problematic was found in SourceCodester Medicine Tracker System 1.0. This vulnerability affects unknown code of the file index.php. The manipulation of the argument page leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-242146 is the identifier assigned to this vulnerability.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing output neutralization of the `page` parameter in `index.php` allows reflected cross-site scripting (XSS)."

Attack vector

An attacker sends a crafted GET request to `/php-mts/index.php` with a malicious `page` parameter. The payload `1">

Affected code

The vulnerability resides in `index.php` of the Medicine Tracker System. The `page` parameter is echoed back into the page without sanitization, allowing an attacker to inject arbitrary HTML or JavaScript.

What the fix does

No patch has been published by the vendor. The researcher's advisory [ref_id=1] identifies the issue as a reflected XSS in `index.php` where the `page` argument is not neutralized before output. The remediation would require proper output encoding or input validation on the `page` parameter to prevent script injection.

Preconditions

  • authNo authentication required; the vulnerable endpoint is publicly accessible
  • networkAttacker must be able to send HTTP GET requests to the server
  • inputThe `page` parameter is user-controllable and reflected in the response

Reproduction

Send the following GET request to the server:

``` GET /php-mts/index.php?page=1">

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.