code-projects Pharmacy Management System Manage Medicines Page manage_medicine.php cross site scripting
Description
A vulnerability was found in code-projects Pharmacy Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /manage_medicine.php of the component Manage Medicines Page. The manipulation of the argument name/address/doctor_address/suppliers_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions contradicting files to be affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Pharmacy Management System 1.0 via unsanitized name/address/doctor_address/suppliers_name on /manage_medicine.php allows remote attacks.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the code-projects Pharmacy Management System version 1.0. The flaw resides in the /manage_medicine.php page within the Manage Medicines functionality. Input parameters such as name, address, doctor_address, and suppliers_name are not properly sanitized before being stored and later rendered, allowing an attacker to inject arbitrary JavaScript. The vulnerability is classified as problematic (CVSS unknown) and affects the unpatched 1.0 release [1][2].
Exploitation
An attacker can launch the attack remotely with no prior authentication required. By crafting a GET request to /manage_medicine.php?action=update&id=...&name=...&suppliers_name=, the malicious payload is stored in the database. When an administrator or any user visits the affected medicine record, the script executes in the context of the victim's browser. No special privileges or user interaction beyond normal page access are needed [2].
Impact
Successful exploitation results in stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of sensitive information (e.g., login cookies), privilege escalation, web content defacement, or redirection to malicious sites. The impact is amplified because the script persists for all subsequent viewers, posing a high risk to both administrators and regular users [2].
Mitigation
As of the publication date (2024-10-21), no official patch is available. The project appears unmaintained on the code-projects platform [1]. Administrators should sanitize all user-supplied input in manage_medicine.php, implement output encoding, and consider using a Content Security Policy (CSP). Until a fix is deployed, avoid processing untrusted data via the affected endpoint. The vulnerability is publicly disclosed and may be exploited [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied input in the `suppliers_name` parameter (and similar fields) is not sanitized before being stored and later rendered in the browser, leading to stored cross-site scripting."
Attack vector
An attacker can inject a malicious JavaScript payload into the `suppliers_name` parameter of the update request to `/manage_medicine.php`. The payload is URL-encoded in the GET request (e.g., `%3Cscript%3Ealert(%22/XSS/%22);%3C/script%3E`) and, because the input is not sanitized, it is stored in the database. Every time an administrator or user accesses the affected medicine record, the stored script executes in the browser, enabling session hijacking, credential theft, or content defacement [ref_id=1].
Affected code
The vulnerability is in the file `/manage_medicine.php` on the Manage Medicines Page, specifically within the `suppliers_name` parameter used during an update action. The researcher advisory also notes that a similar issue exists in `/manage_customer.php` with the `name`, `address`, and `doctor_address` parameters [ref_id=1].
What the fix does
No patch has been published for this vulnerability; the advisory lists the status as "Unpatched" [ref_id=1]. To remediate the issue, the application must properly sanitize and encode all user-supplied input fields—such as `name`, `address`, `doctor_address`, and `suppliers_name`—before storing them in the database or rendering them in HTML output. Output encoding should be applied contextually (e.g., HTML entity encoding) to prevent script execution.
Preconditions
- networkThe attacker must be able to send HTTP requests to the Pharmacy Management System web interface.
- authNo authentication is required to trigger the stored XSS; the payload executes when any user (including administrators) views the affected record.
Reproduction
1. Send a GET request to the vulnerable URL with a malicious payload in the `suppliers_name` parameter: `GET /php/manage_medicine.php?action=update&id=2&name=Crosin&packing=1&generic_name=Aaaaa32131&suppliers_name=%3Cscript%3Ealert(%22/XSS/%22);%3C/script%3E HTTP/1.1` [ref_id=1]. 2. The payload is stored in the database. 3. Navigate to the Manage Medicines page or any page that displays the affected medicine record; the injected script executes in the browser.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/0dae6dd4a36acd12bcc408caf1c787d9mitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.