CVE-2024-40069

Vulnerability

The vulnerability is a stored cross-site scripting (XSS) issue in Sourcecodester Online ID Generator System version 1.0. It resides in the id_generator/classes/Users.php script, specifically in the save action triggered via Users.php?f=save. The POST parameters firstname and lastname are not sanitized or encoded before being stored in the database, allowing an attacker to inject arbitrary JavaScript code. The affected version is V1.0 [1].

Exploitation

An attacker must have access to the admin panel (default credentials: admin/admin123) or any user role that can edit user profiles. The attack vector is the user management page at /admin/?page=user. The attacker inserts an XSS payload into the "First Name" or "Last Name" fields and clicks the update button. The payload is then stored in the database and executed when the page is rendered, as demonstrated in the proof-of-concept [1].

Impact

Successful exploitation results in persistent execution of attacker-controlled scripts within the context of the admin panel. This can lead to session hijacking, theft of sensitive data, defacement, or further compromise of the application and its users. The impact is limited to the browser session of any user who views the affected user list [1].

Mitigation

As of the publication date (2025-04-16), no official patch has been released by Sourcecodester. Users should implement input validation and output encoding for the firstname and lastname parameters, or consider disabling the user management functionality if not required. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. If possible, migrate to a supported alternative [1].