Meifukun

Name of the Vulnerable Software and Affected Versions SourceCodester Loan Management System version 1.0 Description A business logic issue exists due to insufficient server-side validation. Administrators can create 'Loan Plans' with penalty rates for overdue payments. The frontend restricts negative values in the 'Monthly Overdue Penalty' field, but this check is absent on the backend. An attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the `penalty rate` parameter. Recommendations Ensure server-side validation is implemented for the `penalty rate` parameter to prevent negative values from being accepted.

Name of the Vulnerable Software and Affected Versions SourceCodester Loan Management System version 1.0 Description A business logic flaw exists because the application does not properly validate input. Specifically, the system allows administrators to define 'Loan Plans' with a duration in months, but it does not verify that the duration is a positive integer. An attacker can submit a negative value for the months parameter, and the system will accept this invalid data, creating a loan plan with a negative duration. Recommendations Ensure that the duration value for loan plans is validated to be a positive integer.

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the interest percentage. This results in the creation of loan plans with negative interest rates.

A Blind SQL Injection vulnerability exists in SourceCodester Loan Management System v1.0. The vulnerability is located in the ajax.php file (specifically the save loan action). The application fails to properly sanitize user input supplied to the "borrower id" parameter in a POST request, allowing an authenticated attacker to inject malicious SQL commands.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A Reflected Cross-Site Scripting (XSS) issue exists. The application does not properly sanitize input, which allows remote attackers to inject arbitrary web script or HTML via a crafted URL. The vulnerability is located in the `add category.php` file through the `msg` parameter. **Recommendations** Apply input sanitization to the `msg` parameter in the `add category.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the application. The application does not properly sanitize input, which allows for the injection of arbitrary web scripts or HTML. This occurs through a crafted URL targeting the `add customer.php` file via the `msg` parameter. **Recommendations** Apply input sanitization to the `msg` parameter in the `add customer.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the application. The issue is located in the `add supplier.php` file through the `msg` parameter. The application does not properly sanitize input, which allows remote attackers to inject arbitrary web script or HTML via a crafted URL. **Recommendations** Apply input sanitization to the `msg` parameter in the `add supplier.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A reflected cross-site scripting (XSS) issue exists in SourceCodester Sales and Inventory System version 1.0. The issue is located in the `add purchase.php` file through the `msg` parameter. The application does not properly sanitize input, allowing remote attackers to inject arbitrary web scripts or HTML via a manipulated URL. **Recommendations** Apply input sanitization to the `msg` parameter in the `add purchase.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A reflected cross-site scripting (XSS) issue exists in SourceCodester Sales and Inventory System. The problem is located in the `index.php` file through the `msg` parameter. The application does not properly sanitize input, which allows attackers to inject arbitrary web scripts or HTML via a manipulated URL. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider sanitizing the `msg` parameter in the `index.php` file to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A reflected cross-site scripting (XSS) issue exists in SourceCodester Sales and Inventory System 1.0. The issue is located in the `add sales.php` file through the `msg` parameter. The application does not properly sanitize input, which allows remote attackers to inject arbitrary web scripts or HTML via a manipulated URL. **Recommendations** Sanitize the input for the `msg` parameter in the `add sales.php` file to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A Stored Cross-Site Scripting (XSS) issue exists in the application. The application does not properly sanitize the `website` parameter in a POST request to the `update details.php` file. This allows authenticated attackers to inject arbitrary web scripts or HTML. The injected content is stored in the database and executed when the store details page is accessed. **Recommendations** Update the application to a version that properly sanitizes the `website` parameter in the `update details.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A Reflected Cross-Site Scripting (XSS) issue exists. The application does not properly sanitize input, potentially allowing remote attackers to inject arbitrary web scripts or HTML through a specially crafted URL. The issue is located in the `view payments.php` file via the `limit` parameter. **Recommendations** Apply input sanitization to the `limit` parameter in the `view payments.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A reflected cross-site scripting (XSS) issue exists in SourceCodester Sales and Inventory System version 1.0. The issue is located in the `view customers.php` file through the `limit` parameter. The application does not properly sanitize input, allowing remote attackers to inject arbitrary web script or HTML via a manipulated URL. **Recommendations** Apply input sanitization to the `limit` parameter in the `view customers.php` file.

A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. When an administrator or user visits the Category list page (or any page where this category is rendered), the injected JavaScript executes immediately in their browser.

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtqty" parameter during stock entry, allowing negative values to be processed. This causes the system to decrease the inventory level instead of increasing it, leading to inventory corruption and potential Denial of Service by depleting stock records.

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.