# Vulnerability Summary: sourcecodeder Pharmacy Sales and Inventory System V1.0 XSS Vulnerability ## Vulnerability Overview * **Vulnerability Type**: Cross-Site Scripting (XSS) * **Affected Product**: Pharmacy Sales and Inventory System Project V1.0 * **Vulnerability Location**: The `name` parameter in the `/index.php?page=supplier` file * **Root Cause**: The system fails to properly encode or filter user input, directly outputting it to the web page. This allows attackers to execute arbitrary script code. * **Exploitation Conditions**: No login or authorization is required to exploit. ## Impact Scope * **Information Theft**: Attackers can steal cookies, session tokens, or other sensitive information. * **Malicious Operations**: Attackers can perform actions on behalf of victims, tamper with web pages, or redirect users to malicious websites. * **System Control**: Attackers may gain control over the victim's browser, thereby threatening user privacy and system security. ## Remediation 1. **Output Encoding**: Encode user input when outputting it to the web page. Use different encoding methods for different contexts (e.g., HTML, JavaScript, CSS, URL) to ensure input is treated as plain text rather than code. 2. **Input Validation and Filtering**: Strictly validate and filter user input data. Only allow data that conforms to the expected format, and reject or escape any potentially malicious content (such as script tags, event handlers, etc.). 3. **Implement Content Security Policy (CSP)**: Enforce a strict CSP to restrict the sources of scripts that can be executed on the web page, preventing unauthorized script execution. 4. **Set Secure Cookie Flags**: For sensitive cookies (such as session cookies), set the `HttpOnly` flag to prevent access via JavaScript, and set the `Secure` flag to ensure transmission only occurs over HTTPS. 5. **Regular Security Audits**: Conduct regular security audits of code and systems to promptly identify and fix potential XSS vulnerabilities. ## POC Code ```html prompt(xss) ```