CVE-2026-3702
Cross-Site Scripting in SourceCodester Loan Management System /index.php
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oretnom23 | loan_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3702 is a Reflected Cross-Site Scripting (XSS) vulnerability found in SourceCodester Loan Management System version 1.0, specifically in the /index.php file.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application does not properly sanitize user input supplied via the "page" parameter, which is then reflected in the web page output.'}, {'type': 'paragraph', 'content': 'This flaw allows remote attackers to inject arbitrary web scripts or HTML by crafting a malicious URL that manipulates the "page" parameter, leading to execution of unauthorized scripts in the context of the victim\'s browser.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "Exploiting this vulnerability can lead to the execution of unauthorized scripts in a victim's browser, potentially compromising user data or session integrity."}, {'type': 'paragraph', 'content': 'An attacker can use this flaw to perform actions such as stealing cookies, session tokens, or other sensitive information accessible through the browser.'}, {'type': 'paragraph', 'content': 'Since the attack is remote and requires no authentication, it can be triggered by tricking a user into clicking a crafted malicious link.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the 'page' parameter in the /index.php file of the SourceCodester Loan Management System 1.0 for reflected cross-site scripting (XSS). One approach is to craft URLs that inject JavaScript or HTML code into the 'page' parameter and observe if the input is reflected unsanitized in the HTTP response."}, {'type': 'list_item', 'content': 'Use a web browser or tools like curl or wget to send requests with payloads in the \'page\' parameter, for example: curl "http://target/index.php?page=<script>alert(1)</script>"'}, {'type': 'list_item', 'content': 'Use Google dorking with queries such as inurl:index.php to identify potentially vulnerable targets.'}, {'type': 'list_item', 'content': "Employ web vulnerability scanners that support XSS detection targeting the 'page' parameter in index.php."}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'No known mitigations or countermeasures have been documented for this vulnerability. The suggested immediate step is to replace the affected product with an alternative solution that does not contain this vulnerability.'}, {'type': 'paragraph', 'content': "Additionally, as a temporary measure, avoid clicking on suspicious links that manipulate the 'page' parameter and consider implementing web application firewall (WAF) rules to block suspicious input patterns targeting this parameter."}] [2]