CVE-2026-30565
Reflected XSS in SourceCodester Sales Inventory System Limits Parameter
Publication date: 2026-03-30
Last updated on: 2026-04-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ahsanriaz26gmailcom | sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30565 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the SourceCodester Sales and Inventory System 1.0, specifically in the view_supplier.php file.
The vulnerability occurs because the application does not properly sanitize the "limit" parameter, which is used for pagination and received via a GET request.
An attacker can craft a malicious URL containing JavaScript code in the "limit" parameter. When an authenticated user, typically an administrator, accesses this URL, the injected script executes in their browser.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including session hijacking and privilege escalation.
- Attackers can steal administrator session cookies, allowing them to impersonate the administrator.
- By exploiting the administrator's privileges, attackers can perform unauthorized actions within the system.
The attack requires the victim to be logged in as an administrator and to access a specially crafted URL.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the "limit" parameter in the view_supplier.php page for reflected Cross-Site Scripting (XSS). An attacker can craft a URL with a JavaScript payload in the "limit" parameter and observe if the script executes when accessed by an authenticated user.
For example, you can use a command-line tool like curl or a browser to send a request similar to the following:
- curl -i "http://your-target/view_supplier.php?limit=\"%3E%3Cscript%3Ealert(15623);%3C/script%3E"
If the response contains the injected script and it executes (e.g., an alert box appears when accessed via a browser as an authenticated user), the vulnerability is present.
Note that the vulnerable page requires authentication, so detection should be performed with valid administrator credentials.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating the "limit" parameter input in the view_supplier.php file to prevent injection of arbitrary scripts.
Specifically, ensure that any input used for pagination or other purposes is properly escaped or filtered to allow only expected values (e.g., numeric limits).
Additionally, restrict access to the vulnerable page to trusted users and consider implementing Content Security Policy (CSP) headers to reduce the impact of potential XSS.
If possible, update or patch the application to a version where this vulnerability is fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Reflected Cross-Site Scripting (XSS) vulnerability in the SourceCodester Sales and Inventory System 1.0 can lead to session hijacking and privilege escalation by allowing attackers to execute arbitrary scripts in the context of an authenticated administrator.
Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.
Specifically, if attackers exploit this vulnerability to steal session cookies or perform unauthorized actions, it could lead to exposure or manipulation of protected data, thereby violating data protection requirements.