Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_payments.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: Client‑side Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A reflected cross‑site scripting vulnerability was discovered in the view_payments.php file of SourceCodester Sales and Inventory System 1.0, where the application does not sanitize the "limit" parameter. The flaw allows a remote attacker to inject arbitrary web script or HTML through a crafted URL. None of the public documentation details the exact outcomes; based on the nature of XSS, an attacker can potentially run code in the victim’s browser, which may then be used to steal credentials, modify page content, or redirect users to malicious sites. The weakness is classified as CWE‑79.

Affected Systems

SourceCodester Sales and Inventory System version 1.0 is affected.

Risk and Exploitability

The CVSS score of 6.1 places the vulnerability in the moderate range. No EPSS score is provided and the issue is not listed in the CISA KEV catalog, indicating no widespread exploitation data. The likely attack vector is aligned with reflected XSS: a victim must be induced to visit a maliciously constructed link, which can occur via phishing or malicious advertising. The exploit conditions are relatively low, requiring only the delivery of a crafted URL to an aware user; the impact is limited to the victim’s browser context.

Generated by OpenCVE AI on March 30, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s site for an update or patch that sanitizes the limit parameter and apply it as soon as possible.
  • If no patch is available, modify view_payments.php to properly encode or validate the limit parameter before it is included in the output.
  • Deploy a Web Application Firewall rule that blocks reflected XSS payloads containing the limit parameter.
  • Enable a Content Security Policy that disallows inline scripts and restricts script sources.
  • Monitor web logs for unexpected usage of the limit parameter to detect potential abuse.

Generated by OpenCVE AI on March 30, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via Unsanitized 'limit' Parameter in SourceCodester Sales and Inventory System 1.0

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_payments.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T15:29:45.380Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30564

cve-icon Vulnrichment

Updated: 2026-03-30T15:29:37.800Z

cve-icon NVD

Status : Received

Published: 2026-03-30T15:16:26.590

Modified: 2026-03-30T16:16:06.113

Link: CVE-2026-30564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:33Z

Weaknesses