- Vulnerability Type: Reflected Cross-Site Scripting (XSS)
- Discovered by: Sebin Thomas
- Vendor Homepage: Library Manager GitHub
- Tested Version: v1.0
- CVE ID: Pending Assignment
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the msg parameter of index.php in the Library Manager application.
The application fails to sanitize user-supplied input before reflecting it in the HTTP response, allowing an attacker to execute arbitrary JavaScript code in the victim’s browser.
- Name: Library Manager
- Version: All versions up to the latest tested (2025-08-23)
- Component: index.php (msg parameter)
- Server: XAMPP 8.2.4
- Browser: Chrome 138
- OS: Windows 11
Send the following malicious request:
GET /Library-Manager/library_Project/index.php?msg=<script>alert("XSS")</script> HTTP/1.1
Host: localhost
When executed, a JavaScript alert box appears in the victim’s browser as of below, confirming successful script injection.
- Execution of arbitrary JavaScript in the victim’s browser
- Theft of session cookies or sensitive data
- Defacement or malicious redirection
- Potential pivot to other client-side attacks
- Implement input validation and output encoding for all user-supplied parameters.
- Use frameworks or libraries that automatically escape HTML special characters.
- Apply a Content Security Policy (CSP) to mitigate the impact of injected scripts.