SourceCodester Best House Rental Management System ajax.php cross site scripting
Description
A vulnerability, which was classified as problematic, has been found in SourceCodester Best House Rental Management System 1.0. This issue affects some unknown processing of the file /rental/ajax.php?action=save_tenant. The manipulation of the argument lastname/firstname/middlename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in SourceCodester Best House Rental Management System 1.0 allows remote attackers to inject arbitrary JavaScript via unsanitized tenant name parameters.
Vulnerability
The Best House Rental Management System version 1.0 from SourceCodester contains a stored cross-site scripting (XSS) vulnerability in the save_tenant function within /rental/ajax.php?action=save_tenant. The lastname, firstname, and middlename parameters are not properly sanitized before being stored and later rendered on the tenants page (/rental/index.php?page=tenants). This allows an attacker to inject arbitrary HTML and JavaScript code. The vulnerability is classified as problematic and affects all installations of version 1.0. [1]
Exploitation
An attacker can exploit this vulnerability remotely without authentication by sending a crafted POST request to /rental/ajax.php?action=save_tenant with malicious payloads in the lastname, firstname, or middlename fields. The provided proof-of-concept uses `` as the payload. The request is sent as multipart/form-data. Once the tenant record is saved, any user who visits the tenants page will execute the injected script. No special privileges or user interaction beyond visiting the page is required. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser when they view the tenants list. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page. The attack is stored, meaning the malicious script persists and affects all subsequent visitors. The impact is limited to the browser session and does not directly compromise the server. [1]
Mitigation
As of the publication date (2024-11-26), no official patch has been released by SourceCodester. The vendor has not provided a fixed version. Users should sanitize all input parameters in the save_tenant function, specifically escaping HTML entities for lastname, firstname, and middlename. Until a patch is available, consider implementing a web application firewall (WAF) rule to block XSS payloads or restrict access to the tenant management interface. The vulnerability is publicly disclosed and may be exploited. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/YasserREED/YasserREED-CVEs/blob/main/Best%20house%20rental%20management%20system%20project%20in%20php/Stored%20Cross-Site%20Scripting%20(XSS).mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.