CVE-2026-10810
Description
itsourcecode Fees Management System 1.0 is vulnerable to reflected XSS via the 'page' parameter in /navbar.php, allowing remote attackers to inject script.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
itsourcecode Fees Management System 1.0 is vulnerable to reflected XSS via the 'page' parameter in /navbar.php, allowing remote attackers to inject script.
Vulnerability
A reflected Cross-Site Scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0. The vulnerability is located in the /navbar.php file and is triggered by manipulating the page URL parameter. User-supplied input is directly reflected in the page output without proper sanitization, allowing for the injection of arbitrary JavaScript code [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. The attacker needs to trick a victim into visiting a specially crafted URL that includes malicious JavaScript code within the page parameter. For example, a URL like http://[target]/navbar.php?page=%27)(%27(%27) could be used to demonstrate script execution [2].
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the context of the victim's browser session. This can lead to various security risks, including session hijacking, unauthorized actions performed on behalf of the user, data theft, and potentially malware distribution [2].
Mitigation
No specific patched version or release date is available in the provided references. Recommended remediation steps include implementing input validation to reject special characters and using an allow-list approach, as well as output encoding functions like htmlspecialchars() or htmlentities(). Security headers such as Content-Security-Policy and X-XSS-Protection can also help mitigate the impact [2]. The vendor's website is [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unsanitized user input in the URL parameter 'page' is directly reflected in the page output [ref_id=1]."
Attack vector
The vulnerability exists in the /navbar.php file, specifically when handling the 'page' URL parameter. An attacker can craft a URL that includes malicious JavaScript code within the 'page' parameter. When a victim visits this URL, the server reflects the unsanitized input, causing the injected script to execute in the victim's browser [ref_id=1]. This attack is remotely executable and requires no authentication [ref_id=1].
Affected code
The vulnerability is located in the /navbar.php file of the Fees Management System, specifically concerning the handling of the 'page' URL parameter [ref_id=1]. User-supplied input in this parameter is directly reflected in the output without proper sanitization, leading to the Cross-Site Scripting vulnerability [ref_id=1].
What the fix does
The advisory recommends input validation, such as rejecting special characters or using an allow-list approach, and output encoding using functions like `htmlspecialchars()` or `htmlentities()` to prevent the reflection of malicious code [ref_id=1]. Implementing a Content-Security-Policy header is also suggested to mitigate the impact of such attacks [ref_id=1]. No specific patch details are provided, but these measures would sanitize user input before it is rendered, thus preventing script execution.
Preconditions
- authNo authentication is required to exploit this vulnerability [ref_id=1].
- networkThe attack can be carried out remotely [ref_id=1].
- inputThe attacker must trick a user into visiting a maliciously crafted URL containing the 'page' parameter with injected script [ref_id=1].
Reproduction
Visit URL: http://[target]/navbar.php?page=%27)</script><script>alert(0)</script>(%27</script><script>alert(0)</script>(%27) and observe JavaScript execution [ref_id=1].
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Itsourcecode Fees Management System: Three Medium-Severity Flaws Disclosed TogetherVypr Intelligence · Jun 4, 2026