SourceCodester Indian Invoicing System category.php cross site scripting
Description
A vulnerability was identified in SourceCodester Indian Invoicing System 1.0. The affected element is an unknown function of the file /Invoicing/category.php. The manipulation of the argument msg leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Indian Invoicing System 1.0 suffers from a reflected XSS and SQL injection in /Invoicing/category.php via unsanitized msg and search parameters.
Vulnerability
SourceCodester Indian Invoicing System 1.0 (also referred to as Invoicing System In PHP 1.0) contains both a reflected cross-site scripting (XSS) and a SQL injection vulnerability in the file /Invoicing/category.php. The XSS is triggered by the msg argument in GET requests, whose value is reflected directly into the HTML response without HTML encoding. Additionally, the search filter field used in SQL queries lacks sanitization or prepared statements, enabling SQL injection. The affected versions are explicitly 1.0 of the project [1][2].
Exploitation
An attacker can initiate the attack remotely with a crafted HTTP GET request. For the reflected XSS, simply appending ?msg= to the endpoint URL causes the script to execute in the victim's browser when the page is loaded. No authentication is required for the XSS vector. For SQL injection, an attacker must pass a malicious payload such as admin' UNION SELECT 1,2,3,4,5,6 FROM users-- - via the search field on the same page to extract data from arbitrary database tables [2].
Impact
Successful exploitation of the XSS allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking (stealing the admin session cookie) and defacement. The SQL injection can result in full confidentiality and integrity compromise: unauthorized access to database contents (confidentiality) and unauthorized modification of product categories and other business data (integrity) [2]. The attacker may gain admin-level control over the application.
Mitigation
As of the publication date, no official patch has been released by the vendor and the vulnerability is listed as unpatched [2]. The recommended mitigations are to apply output escaping using htmlspecialchars() on all dynamic data rendered in the browser to prevent XSS, and to replace all raw SQL queries with parameterized statements (prepared statements) to prevent SQL injection [2]. Users should monitor the official SourceCodester project page for updates [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output encoding — the `msg` parameter value is reflected into the HTML response without `htmlspecialchars()` or any sanitization [ref_id=1]."
Attack vector
An attacker sends a crafted GET request to `/InvoicingSystem_PHP/Invoicing/category.php` with a malicious `msg` parameter containing a JavaScript payload, such as `
Affected code
The vulnerable endpoint is `/InvoicingSystem_PHP/Invoicing/category.php` [ref_id=1]. The `msg` parameter is reflected directly into the HTML response without HTML encoding [ref_id=1]. No patch is available in the bundle.
What the fix does
No patch is provided in the bundle. The advisory recommends using `htmlspecialchars()` on all dynamic data rendered in the browser to escape output, and replacing raw SQL queries with parameterized prepared statements to prevent SQL injection [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP requests to the vulnerable endpoint.
- authNo authentication is required to trigger the reflected XSS; a valid session cookie is only needed if the page checks authentication.
Reproduction
Send a GET request to the vulnerable endpoint with a JavaScript payload in the `msg` parameter:
``` GET /InvoicingSystem_PHP/Invoicing/category.php?msg=
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/c4ttr4ck/cb6a07bc54600a14de2676d8b96c3026mitreexploit
- vuldb.com/submit/813609mitrethird-party-advisory
- vuldb.com/vuln/365394mitrevdb-entrytechnical-description
- vuldb.com/vuln/365394/ctimitresignaturepermissions-required
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.