Executive Summary

CVE-2026-30562 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the SourceCodester Sales and Inventory System version 1.0, specifically in the add_stock.php file.

The vulnerability occurs because the application does not properly sanitize the "msg" parameter received via a GET request. This parameter is reflected back to the user without validation, allowing an attacker to inject malicious JavaScript or HTML code.

An attacker can craft a malicious URL containing a payload that executes arbitrary scripts when an authenticated administrator accesses it. For example, a payload like `<img src="x" onerror="alert(808774)">` can trigger JavaScript execution in the administrator's browser.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts if exploited by an attacker.

• Session hijacking: Attackers can steal administrator session cookies, gaining unauthorized access.
• Privilege escalation: Attackers can perform unauthorized actions with administrative privileges.
• Execution of arbitrary scripts in the context of an authenticated user, potentially leading to further compromise of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the add_stock.php page with a crafted URL that injects a script into the "msg" parameter and observing if the script executes.

For example, you can use a web browser or command-line tools like curl to send a GET request with a payload such as:

• curl "http://<target-ip>:<port>/add_stock.php?msg=%3Cimg%20src=%22x%22%20onerror=%22alert(808774)%22%3E"

If the response page executes the injected JavaScript (e.g., showing an alert box), it confirms the presence of the reflected XSS vulnerability.

Note that the victim must be an authenticated administrator for the attack to succeed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to execute arbitrary scripts in the context of an authenticated administrator, potentially leading to session hijacking and privilege escalation.

Such unauthorized access and control over administrative functions could result in unauthorized disclosure or modification of sensitive data.

This may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the Reflected Cross-Site Scripting (XSS) vulnerability in the add_stock.php file of SourceCodester Sales and Inventory System 1.0, immediate steps include sanitizing and validating the "msg" parameter to prevent injection of malicious scripts.

Additionally, avoid clicking on or opening suspicious URLs containing crafted payloads, especially for authenticated administrator accounts.

Restrict access to the vulnerable page to trusted users only and consider implementing web application firewall (WAF) rules to detect and block malicious input patterns targeting the "msg" parameter.

If possible, update or patch the application to a version that addresses this vulnerability.

Useful 0 Not Useful 0