code-projects Pharmacy Management System Manage Customer Page manage_customer.php cross site scripting
Description
A vulnerability was found in code-projects Pharmacy Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /manage_customer.php of the component Manage Customer Page. The manipulation of the argument suppliers_name/address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions contradicting files to be affected. Other parameters might be affected as well.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pharmacy Management System 1.0 has a stored XSS in /manage_customer.php that lets remote attackers inject script via the suppliers_name/address parameters.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in code-projects Pharmacy Management System version 1.0. The flaw resides in the /manage_customer.php file within the Manage Customer Page. The suppliers_name and address parameters are not sanitized before being stored and displayed, allowing an attacker to inject arbitrary JavaScript code. The same or similar parameters in /php/manage_medicine.php have also been reported as vulnerable [2].
Exploitation
The attacker does not need authentication; the attack can be launched remotely via a crafted HTTP GET request. The researcher's PoC uses the suppliers_name parameter with a payload such as %3Cscript%3Ealert('XSS')%3C/script%3E [2]. Once the input is submitted, the malicious script is stored in the database. An administrator or any user viewing the affected customer or medicine record will trigger the stored script in their browser.
Impact
Successful exploitation leads to persistent code execution in the context of the victim's browser. The attacker can achieve session hijacking, theft of cookies or session tokens, privilege escalation, data exfiltration, or UI defacement. Since the payload runs each time the vulnerable page is loaded, the impact can be widespread and long-lasting [2].
Mitigation
As of the publication date (2024-10-21), no official patch has been released by the vendor (code-projects). The affected version is 1.0, and the application may be considered end-of-life. The researcher marks the vulnerability as “Unpatched” [2]. Users should apply input validation and output encoding on all user-supplied parameters, or consider replacing the software with a maintained alternative.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the suppliers_name and address parameters allows stored cross-site scripting."
Attack vector
An attacker sends a crafted HTTP GET request to the vulnerable page with a malicious JavaScript payload in the `suppliers_name` or `address` parameter. The payload is URL-encoded (e.g., `%3Cscript%3Ealert('XSS')%3C/script%3E`) and submitted without authentication barriers noted in the advisory [ref_id=1]. Because the application lacks input sanitization, the script is stored in the database and executed in the browser of any administrator or user who subsequently views the affected record, enabling session hijacking, data theft, or UI manipulation [ref_id=1].
Affected code
The vulnerability is in the file `/manage_customer.php` (Manage Customer Page) of the Pharmacy Management System 1.0. The researcher's advisory also identifies `/php/manage_medicine.php?action=update` as a vulnerable endpoint, noting "contradicting files to be affected" [ref_id=1]. The `suppliers_name` and `address` parameters are the injection points [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The advisory states the issue is "Unpatched" and arises from "the absence of proper input sanitization in the suppliers_name parameter" [ref_id=1]. To remediate, the application must validate and encode all user-supplied input before storing it in the database and before rendering it in HTML output, preventing script execution.
Preconditions
- networkThe attacker must be able to reach the web application (no network segmentation assumed)
- authNo authentication is mentioned as a barrier; the advisory implies unauthenticated or low-privilege access to the vulnerable page
- inputThe attacker supplies a JavaScript payload in the suppliers_name or address parameter
Reproduction
1. Send a GET request to `/php/manage_medicine.php?action=update&id=2&name=Crosin&packing=1&generic_name=Aaaaa32131&suppliers_name=%3Cscript%3Ealert('XSS')%3C/script%3E` against the target host [ref_id=1]. 2. The payload is stored in the database. 3. Any subsequent access to the page displaying the medicine record will execute the injected script, producing an alert box (or performing a more advanced action) [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/93343006341d3799de0cb8912cc328ecmitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.