CVE-2024-33303

Vulnerability

SourceCodester Product Show Room 1.0 is vulnerable to stored cross-site scripting (XSS) in the First Name parameter of the user creation functionality. The affected endpoint is /psrs/classes/Users.php?f=save, which accepts a POST request. The application fails to sanitize or encode the First Name input before storing it, allowing an attacker to inject arbitrary JavaScript code that persists in the database and executes when any user views the affected page [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted POST request to /psrs/classes/Users.php?f=save with a malicious payload in the First Name parameter. No authentication is explicitly required, but the attacker must be able to reach the endpoint. The proof-of-concept payload uses an ` tag with an onerror event to execute JavaScript, such as ">`. Once the request is processed, the payload is stored and executed in the browsers of any user (including administrators) who subsequently accesses the user list or profile page [1].

Impact

Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session cookies, account takeover, and further malicious actions such as defacement or redirection to phishing sites. The attack is persistent, affecting all users who view the compromised data [1].

Mitigation

As of the publication date (2024-05-02), no official patch has been released by SourceCodester for Product Show Room 1.0. The vendor has not acknowledged the vulnerability or provided a fixed version. Mitigation requires manual input validation and output encoding: sanitize the First Name field to strip or escape HTML tags, and apply context‑appropriate encoding when rendering stored data. Additionally, implement Content Security Policy (CSP) headers to reduce the impact of XSS. Users should consider upgrading to a maintained alternative if no update becomes available [1].