Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting
Action: Mitigate
AI Analysis

Impact

This vulnerability is a Reflected Cross‑Site Scripting flaw located in the view_purchase.php file of SourceCodester Sales and Inventory System 1.0. The application accepts a 'limit' query parameter without sanitizing it, so a crafted URL can inject arbitrary JavaScript or HTML. A remote attacker can trigger the execution of the injected script in the victim's browser. The impact of this flaw is that an attacker can perform actions such as stealing session cookies, defacing the site, or injecting malware, thereby compromising the confidentiality and integrity of user data. The weakness is an instance of CWE‑79: Improper Neutralization of Input During Web Page Generation.

Affected Systems

The affected system is the SourceCodester Sales and Inventory System, version 1.0. No other vendors or versions are listed in the vulnerability data. The flaw resides in the view_purchase module, which is built on PHP and serves publicly accessible purchase list pages.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, while an EPSS score of <1% shows that current exploit prevalence is very low. The flaw is not listed in the CISA KEV catalog. Attackers would need to entice a user to visit a malicious URL containing a malicious 'limit' parameter; no authentication or privileged access is required. Exploitation is straightforward for someone with knowledge of XSS techniques, but environmental constraints such as additional input filtering could mitigate risk.

Generated by OpenCVE AI on March 30, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Add server‑side validation to the 'limit' parameter, ensuring it only accepts numeric values or a predefined whitelist.
  • Apply proper output encoding when rendering user‑supplied data to prevent script execution.
  • Update or patch the application once an official fix is released.
  • If a patch is not immediately available, restrict access to the view_purchase page through authentication or restrict the 'limit' parameter via a firewall rule.
  • Conduct regular security testing and code reviews to detect similar input validation weaknesses.

Generated by OpenCVE AI on March 30, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via limit Parameter in SourceCodester Sales and Inventory System

Mon, 30 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom inventory System

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester inventory System
Vendors & Products Sourcecodester
Sourcecodester inventory System

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Reflected XSS via 'limit' parameter in SourceCodester Inventory System 1.0

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via 'limit' parameter in SourceCodester Inventory System 1.0
Weaknesses CWE-79

Fri, 27 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

Ahsanriaz26gmailcom Inventory System
Sourcecodester Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T14:34:54.423Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30568

cve-icon Vulnrichment

Updated: 2026-03-27T21:59:25.293Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T18:16:05.190

Modified: 2026-03-30T17:18:38.480

Link: CVE-2026-30568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:07Z

Weaknesses