Executive Summary

CVE-2026-30527 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Online Food Ordering System version 1.0, specifically in the Category management module within the admin panel.

The vulnerability occurs because the application does not properly sanitize user input supplied to the "Category Name" field when creating or updating a category.

Malicious JavaScript code injected into this field is stored persistently in the system's database. When an administrator or user visits the Category list page or any page where the affected category is displayed, the injected script executes immediately in their browser.

This means that an attacker can inject harmful scripts that run automatically without further user interaction, potentially compromising the security of the application and its users.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts:

• Persistent execution of malicious scripts in the browsers of administrators or users who visit affected pages.
• Potential session hijacking through theft of administrator cookies, which can lead to unauthorized access.
• Permanent defacement or alteration of the application's interface, damaging the integrity and trustworthiness of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to inject a known XSS payload into the Category Name field within the admin panel's Category Maintenance module and observing if the payload executes when the Category list page is loaded.

Steps to detect the vulnerability include:

• Log in as an administrator (default credentials: admin/admin).
• Navigate to the Maintenance -> Category List page at /admin/?page=maintenance.
• Create or update a category by injecting a test XSS payload such as `<img src="x" onerror="alert(778899)">` into the Category Name field.
• Save the category and then revisit the Category list page.

If the alert box with the number 778899 appears, it confirms the presence of the stored XSS vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Avoid using the Category Name input field until proper input sanitization is implemented.
• Restrict administrative access to trusted users only and ensure strong authentication mechanisms are in place.
• Manually review and remove any suspicious or malicious scripts injected into the Category Name fields in the database.
• Apply input validation and output encoding on the Category Name field to prevent execution of injected scripts.
• Monitor user sessions and logs for any signs of exploitation or unauthorized access.

Useful 0 Not Useful 0

Compliance Impact

The Stored Cross-Site Scripting (XSS) vulnerability in the Online Food Ordering System allows malicious scripts to execute in the browsers of administrators or users. This can lead to session hijacking and unauthorized access to sensitive information.

Such unauthorized access and potential data breaches could violate common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user sessions.

Therefore, the vulnerability poses a risk to compliance by potentially exposing sensitive user data and failing to ensure secure application behavior.

Useful 0 Not Useful 0