CVE-2023-23026: CVE-2023-23026

CVE-2023-23026 is assigned

Cross site scripting (XSS) vulnerability in sourcecodester oretnom23 sales management system 1.0, allows attackers to execute arbitrary code via the product_name and product_price inputs in file print.php.

Link: https://www.sourcecodester.com/php-codeigniter-simple-sales-management-system-source-code

Mutiple XSS vulnerabilities.

The input (sources) are saved directly in the database.

// Controllers/Categories.php $data = $this->input->post(); if ($insert_id = DB::save(TABLE_CATEGORIES, $data)) { //… }

// Controllers/Orders.php $data = $this->input->post(); if(DB::save(TABLE_ORDERS, $data)){ //… }

// Controllers/Products.php $data = $this->input->post(); if ($insert_id = DB::save(TABLE_PRODUCTS, $data)) { //… }

// views/orders/print.php <?php $product_name = DB::get_cell(TABLE_PRODUCTS, $where, ‘product_name’); ?> <td><?=$product_name ?></td>

// views/orders/form.php <?php foreach(DB::get(TABLE_PRODUCTS) as $row): ?> <option value="<?=$row->product_id ?>"><?=ucfirst($row->product_name) ?> - <?=$row->product_price ?></option> <?php endforeach; ?>