## Critical Vulnerability Information ### Vulnerability Overview - **CVE ID**: CVE-2025-63640 - **Discoverer**: Ivan Cese - **Affected Product**: Medicine Reminder App v1.0 - **Vendor**: Sourcecodester - **Vulnerability Type**: Cross-Site Scripting (XSS) ### Description The Medicine Reminder App v1.0 by Sourcecodester contains a Cross-Site Scripting (XSS) vulnerability in the "Medicine Name" and "Remarks (Optional)" fields when creating an "Upcoming Reminder". Attackers can inject arbitrary malicious HTML/JavaScript code, which executes when the user clicks the "Save Reminder" button. ### Attack Vector Attackers can inject a payload that executes in other users' browsers when the reminder is viewed or saved, potentially leading to session hijacking or arbitrary malicious actions. ### Attack Type - Type: Remote - Affects Code Execution: True - Affects Privilege Escalation: True - Affects Information Disclosure: True ### Important Notes **Reproduction Steps**: 1. Insert potentially malicious HTML/JavaScript payloads into the "Medicine Name" and "Remarks (Optional)" input fields. 2. Click the "Save Reminder" button and observe the execution of the malicious payload. ### Notes **Impact**: 1. Enables theft of cookies or session tokens, allowing attackers to impersonate users and escalate privileges; 2. Facilitates in-page phishing, credential harvesting, or malware distribution via malicious injection; 3. Allows leakage or manipulation of sensitive user data, compromising application trust and integrity. ### Recommendations **Mitigation Measures**: 1. Input Validation and Sanitization – Strictly validate and sanitize all user-supplied data before rendering; 2. Content Security Policy (CSP) – Implement a strict CSP to restrict script sources and prevent inline script execution; 3. Output Encoding – Properly encode data based on context (HTML, JavaScript, URL, etc.); 4. Use Secure Frameworks/Libraries – Leverage frameworks that automatically handle escaping and prevent XSS; 5. HttpOnly Cookies – Mark session cookies as HttpOnly to prevent access by client-side scripts. ### References # Reference: [Medicine Reminder App using HTML-CSS and JavaScript source code](https://www.sourcecodester.com/javascript/18402/medicine-reminder-app-using-html-css-and-javascript-source-code.html), [Web Security Cross-Site Scripting](https://portswigger.net/web-security/cross-site-scripting)