SourceCodester SUP Online Shopping productedit.php cross site scripting

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in SourceCodester SUP Online Shopping version 1.0. The flaw resides in the /admin/productedit.php file, where the productName parameter is not properly sanitized or encoded before being stored and later rendered in the web page. This allows an attacker to inject arbitrary JavaScript code that will execute in the context of the affected page when viewed by an administrator or other user [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication. The attack is performed by sending a POST request to /admin/productedit.php with a malicious payload in the productName parameter, such as ``. The injected script is stored on the server and executed whenever the product edit page is accessed by a victim [1].

Impact

Successful exploitation enables an attacker to steal session cookies, perform actions on behalf of authenticated users, capture sensitive input (e.g., login credentials), and modify the appearance or content of the web page. This poses a severe threat to the security of the system and the privacy of its users [1].

Mitigation

As of the publication date, no official patch has been released by the vendor. The vendor homepage is available at [2], but no fix or advisory has been published. Users should consider implementing input validation and output encoding for the productName parameter as a workaround. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].