Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the update_details.php file. The application fails to sanitize the "website" parameter provided in a POST request. This allows authenticated attackers to inject arbitrary web script or HTML that is stored in the database and executed whenever the store details page is accessed.
Published: 2026-03-30
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: Stored XSS in web application
Action: Patch Now
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the update_details.php module of the SourceCodester Sales and Inventory System version 1.0. The application does not sanitize the website field supplied through a POST request. This omission allows an authenticated user to embed arbitrary JavaScript or HTML, which is saved to the database and rendered when the store details page is accessed. The injected code runs in the browsers of any visitor viewing that page, enabling malicious scripts to execute in the context of the application.

Affected Systems

SourceCodester Sales and Inventory System 1.0 is affected. The vulnerability arises when a user with permission to update store details submits a request to update_details.php. No other versions or products are listed as affected.

Risk and Exploitability

With a CVSS score of 6.1 the flaw carries medium severity. The EPSS score is not available and the issue is not listed in the CISA KEV catalog. Exploitation requires a legitimate authenticated session possessing update rights. Once authenticated, an attacker can inject and store malicious script via the website field, which will then be executed in any browser that opens the store details page. This elevates the risk of unintended script execution for site visitors, although it does not provide a direct privilege escalation or data breach vector.

Generated by OpenCVE AI on March 30, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a newer version of SourceCodester Sales and Inventory System that sanitizes the website field during updates.
  • If no patch is available, modify the application to escape or validate the website input before storing it in the database.
  • Restrict update permissions so that only trusted users can modify the website field.

Generated by OpenCVE AI on March 30, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Stored XSS in SourceCodester Sales and Inventory System via Unsanitized Website Field

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the update_details.php file. The application fails to sanitize the "website" parameter provided in a POST request. This allows authenticated attackers to inject arbitrary web script or HTML that is stored in the database and executed whenever the store details page is accessed.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T15:28:43.996Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30563

cve-icon Vulnrichment

Updated: 2026-03-30T15:28:38.452Z

cve-icon NVD

Status : Received

Published: 2026-03-30T15:16:26.460

Modified: 2026-03-30T16:16:05.943

Link: CVE-2026-30563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:34Z

Weaknesses