# Vulnerability Summary: Reflected XSS in Inventory System (Add Purchase) **Overview** * **Vulnerability Type**: Reflected Cross Site Scripting (XSS) * **Affected Product**: Inventory System * **Affected Version**: 1.0 * **Affected Component**: Add Purchase (`add_purchase.php`) * **Vulnerable Parameter**: `msg` (GET) * **Description**: The application accepts the `msg` parameter (GET request) and reflects it back to the user without sanitization. This allows an attacker to inject malicious JavaScript code. **Impact** * **Session Hijacking**: Attackers can steal administrator session cookies. * **Privilege Escalation**: If the victim is an administrator, attackers can take over the system. **Remediation** * Implement strict input validation and output encoding (Sanitization/Encoding) for the `msg` parameter to prevent script execution. **POC/Exploit Code** * **Payload**: `alert(document.cookie)` * **Full Exploit URL**: ```text http://127.0.0.1:8080/web_inventory/add_purchase.php?msg=alert(document.cookie) ```