CVE-2024-40074

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in Sourcecodester Online ID Generator System version 1.0. The flaw is located in /id_generator/classes/SystemSettings.php when processing the short_name POST parameter through the update_settings function [1]. An attacker with administrative access can inject arbitrary JavaScript payloads into the "System Short Name" field on the system settings page. The application fails to sanitize or escape this user-supplied input before storing it in the database [1]. When an admin later visits the system info page (/id_generator/admin/?page=system_info), the stored payload is executed in the browser [1].

Exploitation

An attacker requires administrative credentials to log in to the admin panel [1]. The attacker navigates to the system information page (/id_generator/admin/?page=system_info) and inserts a malicious XSS payload (e.g., `) into the "System Short Name" input field [1]. After clicking the update button, a POST request is sent to /id_generator/classes/SystemSettings.php?f=update_settings with the short_name` parameter containing the payload [1]. The payload is stored in the database without sanitization [1]. Any subsequent visit by an administrator to the affected page will execute the payload in the context of the admin’s session [1].

Impact

Successful exploitation results in arbitrary JavaScript execution in the browser of any admin who views the system info page. This can lead to session hijacking, defacement, or theft of sensitive data such as administrator cookies [1]. The attack does not require user interaction beyond the initial configuration by the victim (admin), and it persists until the stored payload is manually removed or the database entry is cleared [1].

Mitigation

As of the publication date, no official patch or fixed version has been released by Sourcecodester [1]. The vendor has not issued a security advisory for this vulnerability. To mitigate the risk, administrators should restrict access to the admin panel to trusted users only and implement input sanitization and output encoding for the short_name field. Alternatively, consider disabling the affected functionality or applying a custom web application firewall rule to block malicious input [1].