Compliance Impact

The vulnerability allows execution of arbitrary JavaScript in users' browsers, which can lead to theft of session cookies, hijacking of administrator sessions, unauthorized actions, and injection of malicious content. Such security weaknesses can result in unauthorized access to sensitive data and compromise the integrity and confidentiality of the system.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the presence of a stored cross-site scripting vulnerability in an application managing sensitive data (such as a Blood Bank system) could potentially lead to violations of these regulations. This is because unauthorized access or manipulation of data due to this vulnerability may breach requirements for data protection, user privacy, and system security mandated by such standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-5240 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Blood Bank Managing System version 1.0, specifically in the administrative component at the /Blood_Bank/admin_state.php endpoint.

The vulnerability occurs because the application accepts user input through the statename parameter via an HTTP POST request and stores it directly in the backend database without any input validation or sanitization.

When the stored value is later displayed in the web interface, it is rendered without applying output encoding functions, allowing embedded HTML or JavaScript code to execute in users' browsers.

This enables attackers to inject arbitrary scripts that can execute whenever the affected page is viewed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts including:

• Execution of arbitrary JavaScript code in users' browsers.
• Theft of session cookies, which can lead to hijacking of administrator sessions.
• Unauthorized actions within the application performed by attackers.
• Injection of malicious content into the administrative interface.
• Phishing attacks targeting users of the application.

Because the malicious payload is stored persistently in the database, all users who access the compromised page are at risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the /Blood_Bank/admin_state.php endpoint for stored cross-site scripting (XSS) in the statename parameter via HTTP POST requests.

A practical detection method is to send a crafted POST request with a payload containing HTML or JavaScript code in the statename parameter and then observe if the payload is stored and executed when viewing the affected page.

Example command using curl to test the vulnerability:

• curl -X POST -d "statename=<details/open/ontoggle=prompt(origin)>" http://[target]/Blood_Bank/admin_state.php

After sending this request, visit the page that displays the stored states to check if the JavaScript prompt appears, confirming the XSS vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Implement output encoding on the statename parameter before rendering it in the web interface, for example using PHP's htmlspecialchars() function.
• Validate and sanitize all user inputs to the statename parameter to filter out any suspicious HTML or script content before storing it in the database.
• Deploy Content Security Policy (CSP) headers such as Content-Security-Policy: default-src 'self' to reduce the risk of script execution.

These steps help prevent the injection and execution of malicious scripts, protecting users from session hijacking and other attacks.

Useful 0 Not Useful 0