CVE-2026-30564
Reflected XSS in SourceCodester Sales Inventory System via view_payments.php
Publication date: 2026-03-30
Last updated on: 2026-04-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ahsanriaz26gmailcom | sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30564 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the SourceCodester Sales and Inventory System version 1.0, specifically in the view_payments.php file.
The vulnerability occurs because the application does not properly sanitize the "limit" parameter, which is used for pagination control and received via a GET request.
This improper input handling allows remote attackers to inject arbitrary web scripts or HTML through a crafted URL, which is then reflected back and executed in the context of the victim's browser.
An example attack involves sending a malicious URL containing JavaScript code in the "limit" parameter that executes when an authenticated user, typically an administrator, visits the page.
How can this vulnerability impact me? :
This XSS vulnerability can have serious impacts, especially since it requires the victim to be an authenticated user, usually an administrator.
- Attackers can execute arbitrary JavaScript code in the context of the administrator's browser.
- This can lead to session hijacking, where attackers steal administrator session cookies.
- Attackers may escalate privileges and perform unauthorized actions within the system by leveraging the administrator's access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the "limit" parameter in the view_payments.php page for reflected Cross-Site Scripting (XSS). An effective method is to craft a URL with a script injection payload in the "limit" parameter and observe if the script executes when accessed by an authenticated user.
- Example test URL: http://127.0.0.1:8089/view_payments.php?limit=\"><script>alert(15623);</script>
If visiting this URL as a logged-in administrator triggers a JavaScript alert box (e.g., displaying "15623"), it confirms the presence of the reflected XSS vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Reflected Cross-Site Scripting (XSS) vulnerability in the SourceCodester Sales and Inventory System 1.0 can lead to session hijacking and privilege escalation by allowing attackers to execute arbitrary scripts in the context of an authenticated administrator.
Such unauthorized access and potential data exposure can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and user privacy.
Specifically, if attackers leverage this vulnerability to steal session cookies or perform unauthorized actions, it could result in unauthorized access to personal or protected health information, violating confidentiality and security requirements mandated by these regulations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Reflected Cross-Site Scripting (XSS) vulnerability in the view_payments.php file, you should immediately implement proper input sanitization and validation for the "limit" parameter to prevent injection of arbitrary scripts.
Additionally, restrict access to the vulnerable page to only trusted authenticated users and educate administrators to avoid clicking on suspicious or untrusted URLs.
As a temporary measure, consider applying web application firewall (WAF) rules to detect and block malicious payloads targeting the "limit" parameter.