SourceCodester Online Food Ordering System Create an Account Page index.php cross site scripting

Vulnerability

A cross-site scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System version 2.0 [1]. The issue occurs in the Create an Account page of index.php, where the First Name and Last Name parameters are not properly sanitized. This allows an attacker to inject malicious JavaScript code into the application.

Exploitation

An unauthenticated attacker can exploit this vulnerability remotely by submitting a crafted registration request with malicious script payloads in either the First Name or Last Name fields. No special privileges or user interaction are required beyond submitting the form.

Impact

Successful exploitation leads to stored XSS, meaning the injected script is saved and executed when other users (including administrators) view the stored data. This could result in session hijacking, credential theft, defacement, or unauthorized actions performed on behalf of the victim.

Mitigation

As of the publication date (September 9, 2024), no official patch has been released by the vendor for version 2.0. Mitigation measures include implementing input validation and output encoding for all user-supplied data, using a Content Security Policy (CSP) to restrict script execution, and considering upgrading to a fixed version if available in the future. [1]