CVE-2026-7390
Cross-Site Scripting in Pharmacy Sales and Inventory System
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | pharmacy_sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7390 is a Cross-Site Scripting (XSS) vulnerability found in the Pharmacy Sales and Inventory System version 1.0 by SourceCodester. It occurs in the '/index.php?page=customer' file due to improper input validation and output encoding of the 'name' parameter.
Attackers can exploit this vulnerability by injecting malicious script code through the 'name' parameter, which is then executed in the victim's browser without proper sanitization.
Can you explain this vulnerability to me?
This vulnerability exists in the SourceCodester Pharmacy Sales and Inventory System 1.0, specifically in the Customer function of the file /index.php?page=customer.
It is caused by improper handling of the 'Name' argument, which allows an attacker to perform cross-site scripting (XSS) attacks.
The attack can be launched remotely, and the exploit code is publicly available.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to inject malicious scripts into the web application, which may be executed in the context of other users.
Such cross-site scripting attacks can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising user data or trust.
Since the attack can be performed remotely and the exploit is public, it increases the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Cross-Site Scripting (XSS) vulnerability in the Pharmacy Sales and Inventory System allows attackers to execute malicious scripts in users' browsers, potentially leading to theft of sensitive information such as cookies or session tokens.
Such unauthorized access and exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and health-related information against unauthorized access and breaches.
Therefore, this vulnerability poses a risk to compliance by potentially enabling data breaches and unauthorized actions that violate these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'name' parameter in the '/index.php?page=customer' endpoint for improper input validation and output encoding.
A common method is to inject a simple XSS payload such as `<script>prompt(/xss/);</script>` into the 'name' parameter and observe if the script executes in the browser.
For example, you can use curl or a browser to send a request like:
- curl "http://targetsite/index.php?page=customer&name=<script>prompt(/xss/);</script>"
If the payload executes (e.g., a prompt box appears), the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation and output encoding on the 'name' parameter to prevent malicious script injection.
Additionally, applying a Content Security Policy (CSP) can help restrict the execution of unauthorized scripts.
Setting secure cookie flags and conducting regular security audits are also recommended to reduce the risk.
How can this vulnerability impact me? :
This vulnerability can allow attackers to steal sensitive information such as cookies or session tokens, perform unauthorized actions on behalf of the user, deface web pages, or redirect users to malicious websites.
The attack can be launched remotely and does not require authentication, increasing the risk of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'name' parameter in the '/index.php?page=customer' endpoint for improper input validation and output encoding. You can attempt to inject a simple XSS payload such as <script>prompt(/xss/);</script> into the 'name' parameter and observe if it executes in the browser.
For detection, you can use tools like curl or wget to send HTTP requests with the malicious payload and check the response for reflected scripts.
- Example curl command to test the vulnerability: curl -i "http://targetsite/index.php?page=customer&name=<script>prompt(/xss/);</script>"
- Use a web proxy or browser developer tools to inspect if the injected script is executed or reflected in the response.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation and output encoding on the 'name' parameter to prevent execution of malicious scripts.
- Apply output encoding to all user-supplied input before rendering it in the browser.
- Implement a Content Security Policy (CSP) to restrict the execution of unauthorized scripts.
- Set secure cookie flags such as HttpOnly and Secure to protect session cookies.
- Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.