Impact
A cross‑site scripting flaw exists in the User Registration Endpoint of SourceCodester Inventory Management System, specifically when the full_name parameter is manipulated. The vulnerability allows an attacker to inject malicious scripts that can be executed in the browsers of other users who view affected pages, potentially leading to session hijacking, defacement, or theft of sensitive information. The flaw is a medium‑severity weakness with a CVSS score of 5.1 and does not have a publicly known exploit available in the CISA KEV catalog.
Affected Systems
Version 1.0 of the SourceCodester Inventory Management System, through the API handler file /api/users_handler.php, is affected. All installations that have not applied an official update or patch should be considered vulnerable.
Risk and Exploitability
The vulnerability can be triggered remotely by sending a crafted HTTP request to the full_name argument; it is therefore exploitable by adversaries with network access to the application. Although no exploit exploits have been recorded in KEV, the lack of an EPSS score indicates limited publicly available exploitation data. Nonetheless, the moderate CVSS score reflects that an attacker who can reach the endpoint could leverage client‑side script execution to compromise targeted users.
OpenCVE Enrichment