SourceCodester Indian Invoicing System Invoice Template Render Database-Backed add_order.php cross site scripting
Description
A security flaw has been discovered in SourceCodester Indian Invoicing System up to 0.x/1.0. The impacted element is an unknown function of the file /Invoicing/add_order.php of the component Invoice Template Render Database-Backed. The manipulation of the argument customer_name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in SourceCodester Indian Invoicing System up to 1.0 via unsanitized customer_name input in add_order.php.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Indian Invoicing System version 0.x and 1.0. The flaw resides in the /Invoicing/add_order.php endpoint, specifically in how the customer_name argument is processed. User-supplied input is stored in the database and later rendered without proper output encoding in invoice templates, such as /Invoice.php and /IGST_Invoice.php. This allows an attacker to inject arbitrary JavaScript code that will execute when the invoice page is viewed.
Exploitation
An attacker needs no special privileges beyond the ability to make a POST request to the vulnerable endpoint. The attack can be launched remotely. The exploit involves sending a crafted request with a JavaScript payload in the customer_name field, as demonstrated in available references [1][2]. For example, the payload "> is URL-encoded and submitted via HTTP POST. The application stores this payload in the database, and when any user (including administrators) views the invoice via /Invoice.php or /IGST_Invoice.php, the malicious script executes in their browser. The PoC has been publicly released.
Impact
Successful exploitation leads to client-side execution of arbitrary JavaScript in the context of the victim's session. This can result in session hijacking, defacement, redirection to malicious sites, or theft of sensitive information displayed on the invoice page. The attack targets authenticated users who view the affected invoices, potentially compromising their account and data within the invoicing system.
Mitigation
As of the publication date, no official patch has been released for the SourceCodester Indian Invoicing System. The vendor has not acknowledged a fix, and the vulnerability remains unpatched. Mitigation recommendations include: escaping all dynamic values before rendering HTML, sanitizing and validating invoice-related fields at input time, and auditing all invoice and PDF views for unsafe data reflections. Organizations using this software should consider implementing a web application firewall or modifying the source code to apply proper output encoding.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Invoice templates render database-backed values directly into HTML without output encoding, allowing stored cross-site scripting."
Attack vector
An attacker sends a POST request to `/Invoicing/add_order.php` with a `customer_name` parameter containing a JavaScript payload, such as `">
Affected code
The vulnerable endpoint is `/Invoicing/add_order.php`, where the `customer_name` parameter is accepted without sanitization. The stored value is later rendered without output encoding in `/Invoice.php` and `/IGST_Invoice.php` during invoice template rendering [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The advisory recommends escaping all dynamic values before rendering into HTML, sanitizing invoice-related fields at input time, and auditing invoice and PDF views for other unsafe echoes [ref_id=1].
Preconditions
- authAttacker must have network access to the application and a valid session cookie (PHPSESSID) to submit the POST request
- configThe application must be running the vulnerable SourceCodester Indian Invoicing System version
- inputA victim with an active session must view the invoice page where the payload is rendered
Reproduction
1. Obtain a valid PHPSESSID cookie for the application. 2. Send a POST request to `/InvoicingSystem_PHP/Invoicing/add_order.php` with `Content-Type: application/x-www-form-urlencoded` and body `customer_name=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&seller_name=test&amount=100` [ref_id=1]. 3. Navigate to `/Invoice.php` or `/IGST_Invoice.php` to view the rendered invoice; the injected script executes in the browser [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/c4ttr4ck/97c5babe1f16fa3243333528a40b7550mitreexploit
- vuldb.com/submit/813610mitrethird-party-advisory
- vuldb.com/vuln/365395mitrevdb-entrytechnical-description
- vuldb.com/vuln/365395/ctimitresignaturepermissions-required
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.