R3Du

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pizzafy Ecommerce System version 1.0 **Description** A flaw in the `save settings()` function within the '/admin/index.php?page=save settings' endpoint allows for remote cross-site scripting (XSS), which is a technique where malicious scripts are injected into trusted websites. This occurs through the manipulation of the `Name` argument. **Recommendations** As a temporary workaround, restrict access to the '/admin/index.php?page=save settings' endpoint or avoid using the `Name` argument until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pizzafy Ecommerce System version 1.0 **Description** Cross site scripting can be triggered remotely via the `save menu()` function in the '/admin/ajax.php?action=save menu' endpoint. The issue occurs through the manipulation of the `Name` argument. **Recommendations** As a temporary workaround, restrict access to the '/admin/ajax.php?action=save menu' endpoint or avoid using the `Name` parameter within the `save menu()` function until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pizzafy Ecommerce System version 1.0 **Description** A cross-site scripting issue exists in the `save order()` function within the '/admin/ajax.php?action=save order' endpoint. This occurs when the `first name` argument is manipulated, allowing for remote exploitation. **Recommendations** As a temporary workaround, restrict access to the '/admin/ajax.php?action=save order' endpoint or avoid using the `first name` parameter until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pizzafy Ecommerce System version 1.0 **Description** A flaw in the `save user()` function within the '/admin/ajax.php?action=save user' endpoint allows for remote cross-site scripting (XSS), which occurs when an attacker manipulates the `Name` argument. Cross-site scripting is a technique where malicious scripts are injected into trusted websites. **Recommendations** As a temporary workaround, avoid using the `Name` parameter in the '/admin/ajax.php?action=save user' endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.