CVE-2023-23026 is assigned
Cross site scripting (XSS) vulnerability in sourcecodester oretnom23 sales management system 1.0, allows attackers to execute arbitrary code via the product_name and product_price inputs in file print.php.
Link: https://www.sourcecodester.com/php-codeigniter-simple-sales-management-system-source-code
Mutiple XSS vulnerabilities.
The input (sources) are saved directly in the database.
// Controllers/Categories.php
$data = $this->input->post();
if ($insert_id = DB::save(TABLE_CATEGORIES, $data)) {
//...
}
// Controllers/Orders.php
$data = $this->input->post();
if(DB::save(TABLE_ORDERS, $data)){
//...
}
// Controllers/Products.php
$data = $this->input->post();
if ($insert_id = DB::save(TABLE_PRODUCTS, $data)) {
//...
}
// views/orders/print.php
<?php
$product_name = DB::get_cell(TABLE_PRODUCTS, $where, 'product_name');
?>
<td><?=$product_name ?></td>
// views/orders/form.php
<?php foreach(DB::get(TABLE_PRODUCTS) as $row): ?>
<option value="<?=$row->product_id ?>"><?=ucfirst($row->product_name) ?> - <?=$row->product_price ?></option>
<?php endforeach; ?>