CVE-2026-30570
Reflected XSS in SourceCodester Inventory System view_sales.php
Publication date: 2026-03-27
Last updated on: 2026-04-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ahsanriaz26gmailcom | inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Reflected Cross-Site Scripting (XSS) vulnerability in SourceCodester Inventory System 1.0 allows attackers to execute arbitrary scripts in the context of authenticated administrator sessions. This can lead to session hijacking and unauthorized actions with administrator privileges.
Such unauthorized access and potential data manipulation or exposure can compromise the confidentiality and integrity of sensitive data, which may violate requirements under common standards and regulations like GDPR and HIPAA that mandate protection of personal and sensitive information.
Therefore, this vulnerability can negatively impact compliance by exposing the system to risks of data breaches and unauthorized access.
Can you explain this vulnerability to me?
CVE-2026-30570 is a Reflected Cross-Site Scripting (XSS) vulnerability found in SourceCodester Inventory System version 1.0, specifically in the view_sales.php file.
The vulnerability occurs because the application does not properly sanitize the "limit" parameter, which is used for pagination control and received via a GET request.
An attacker can craft a URL containing malicious JavaScript code in the "limit" parameter. When an authenticated administrator visits this URL, the injected script is reflected back and executed in their browser.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform session hijacking by stealing session cookies of authenticated administrators.
It can also lead to privilege escalation, enabling attackers to perform unauthorized actions on behalf of the administrator.
Overall, it compromises the security of the system by allowing remote attackers to inject and execute arbitrary web scripts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the "limit" parameter in the view_sales.php page for reflected script injection. A common method is to send a crafted URL with a script payload and observe if the script is reflected and executed in the response.
- Use a browser or a tool like curl or wget to request a URL such as: http://your-target/view_sales.php?limit=\"><script>alert(15623);</script>
- If the alert box with "15623" appears (or the script is reflected in the response), the vulnerability is present.
- Example curl command to test the vulnerability: curl -i "http://your-target/view_sales.php?limit=\"><script>alert(15623);</script>"
- Monitor HTTP responses for reflected script content in the "limit" parameter without proper sanitization.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating the input received via the "limit" parameter to prevent injection of malicious scripts.
Ensure that all user-supplied input is properly encoded before being reflected in the HTML response.
Restrict access to the vulnerable page (view_sales.php) to trusted users only, and consider applying web application firewall (WAF) rules to block suspicious payloads targeting the "limit" parameter.
If possible, update or patch the SourceCodester Inventory System to a version where this vulnerability is fixed.