code-projects Pharmacy Management System Manage Supplier Page manage_supplier.php cross site scripting
Description
A vulnerability was found in code-projects Pharmacy Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /manage_supplier.php of the component Manage Supplier Page. The manipulation of the argument address leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Pharmacy Management System 1.0 via unsanitized address parameter on manage_supplier.php allows remote attackers to execute arbitrary JavaScript.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in code-projects Pharmacy Management System version 1.0. The flaw resides in the /manage_supplier.php endpoint, specifically in the update action. The address parameter is not sanitized before being saved to the database, allowing an attacker to inject malicious JavaScript. The vulnerability is reachable remotely without authentication, as the affected page is accessible by any user who can access the application's web interface [1], [2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted GET request to /php/manage_supplier.php?action=update&id=35&name=A&email=contato@gmail.com&contact_number=0987654321&address=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E. The malicious payload is stored in the database and executes whenever any user (including administrators) views the affected supplier record. The attack requires no authentication and can be performed remotely. A proof of concept has been publicly disclosed [2].
Impact
Successful exploitation results in stored cross-site scripting, leading to potential session hijacking, theft of sensitive data (such as authentication tokens), privilege escalation, website defacement, and phishing attacks. The persistent nature of the stored XSS means the malicious script runs each time the affected page is loaded, increasing the likelihood of compromising administrators or other users [2].
Mitigation
No official patch has been released as of the publication date. The vendor has not provided a fix or advisory. Administrators should sanitize and validate the address parameter on the server side before storing it in the database. Disabling the affected endpoint or applying web application firewall (WAF) rules to block XSS patterns can serve as temporary workarounds [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the address parameter allows stored cross-site scripting."
Attack vector
An attacker sends a crafted GET request to `/php/manage_supplier.php?action=update` with a malicious JavaScript payload in the `address` parameter [ref_id=1]. The payload is URL-encoded (e.g., `%3Cscript%3Ealert(%22XSS%22);%3C/script%3E`) and submitted over HTTP. Because the input is not sanitized before being saved to the database, the script persists and executes in the browser of any user who views the affected supplier record [ref_id=1]. The attack is remote and requires no special authentication beyond access to the supplier management page.
Affected code
The vulnerable endpoint is `/php/manage_supplier.php` with the `action=update` parameter. The `address` parameter is passed directly via GET request and stored without sanitization [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The advisory recommends properly sanitizing and encoding the `address` parameter before storing it in the database and before rendering it in the browser. Output encoding (e.g., HTML entity encoding) on the display side would prevent the injected script from executing.
Preconditions
- networkAttacker must have network access to the Pharmacy Management System web interface
- configThe application must be running version 1.0 with the supplier management page exposed
Reproduction
Send the following GET request to the vulnerable server (adjust Host and cookie as needed):
``` GET /php/manage_supplier.php?action=update&id=35&name=A&email=contato@gmail.com&contact_number=0987654321&address=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E HTTP/1.1 Host: localhost:8080 Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f ```
When the supplier record is subsequently viewed, the JavaScript payload executes in the browser, displaying an alert box [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/bc051be4a8c6b6641578cad533742aabmitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.