CVE-2026-30558
Reflected XSS in SourceCodester Sales Inventory add_customer.php
Publication date: 2026-03-30
Last updated on: 2026-04-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ahsanriaz26gmailcom | sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30558 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the SourceCodester Sales and Inventory System version 1.0, specifically in the add_customer.php file via the "msg" parameter.
The vulnerability occurs because the application does not properly sanitize the input received through the "msg" parameter, which is reflected back to the user without validation.
This allows remote attackers to inject arbitrary web scripts or HTML by crafting a malicious URL that includes a payload in the "msg" parameter.
When an authenticated user, typically an administrator, visits this crafted URL, the injected script executes in their browser.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including session hijacking and privilege escalation.
An attacker can steal administrator session cookies by executing malicious scripts in the context of the administrator's browser.
With stolen session information, attackers can impersonate the administrator and perform unauthorized actions within the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the add_customer.php page with a crafted URL that injects a script into the "msg" parameter. For example, you can use a URL like: http://127.0.0.1:8089/add_customer.php?msg=<img src="x" onerror="alert(808774)">. If the script executes (e.g., an alert box appears), the vulnerability is present.
To detect this on your system, you can use command-line tools such as curl or wget to send the crafted request and observe the response for reflected script content.
- curl -i "http://your-target/add_customer.php?msg=<img src='x' onerror='alert(808774)'>"
- wget -qO- "http://your-target/add_customer.php?msg=<img src='x' onerror='alert(808774)'>"
Additionally, manual testing by logging in as an administrator and visiting the crafted URL in a browser can confirm if the alert box or injected script executes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating the input received via the "msg" parameter in add_customer.php to prevent injection of arbitrary scripts.
Until a patch or fix is applied, restrict access to the vulnerable page to trusted users only, such as administrators, and avoid clicking on suspicious or untrusted URLs containing parameters.
Consider implementing Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary JavaScript code by injecting malicious scripts via the "msg" parameter, which can lead to session hijacking and privilege escalation. Such unauthorized access and potential data breaches could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and secure access controls.
Specifically, if an attacker hijacks an administrator's session, they could access sensitive personal or health information managed by the system, violating confidentiality and data protection requirements mandated by these regulations.