Timeflies

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pharmacy Sales and Inventory System version 1.0 **Description** Cross site scripting can be triggered remotely through the manipulation of the `medicine presentation` argument within the `create medicine presentation()` function located in the `/ShowForm/create medicine presentation/main` file. **Recommendations** As a temporary workaround, restrict access to the `create medicine presentation()` function until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pharmacy Sales and Inventory System version 1.0 **Description** A cross-site scripting issue exists in the `create medicine name()` function located in the `/ShowForm/create medicine name/main` file. A remote attacker can trigger this by manipulating the `medicine name` argument. Cross-site scripting is a flaw that allows an attacker to inject malicious scripts into web pages viewed by other users. **Recommendations** For version 1.0, avoid using the `medicine name` argument in the affected function until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pharmacy Sales and Inventory System version 1.0 **Description** A flaw in the `create supplier()` function within the `/ShowForm/create supplier/main` file allows for remote cross-site scripting. This occurs when the `company name` argument is manipulated, enabling an attacker to execute malicious scripts in the victim's browser. **Recommendations** Update SourceCodester Pharmacy Sales and Inventory System version 1.0 to a patched version. As a temporary workaround, restrict access to the `create supplier()` function until a fix is applied.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pharmacy Sales and Inventory System version 1.0 **Description** Improper access controls exist in the `sell statement()` function within the `application/controllers/ShowForm.php` file. This issue allows a remote attacker to bypass access restrictions through manipulation of the function. **Recommendations** Restrict access to the `sell statement()` function in the `application/controllers/ShowForm.php` file until a fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pharmacy Sales and Inventory System version 1.0 **Description** Cross site scripting occurs via the manipulation of the `generic name` argument within the `create generic name()` function located in the `/ShowForm/create generic name/main` file. This issue allows for remote attacks. **Recommendations** Update SourceCodester Pharmacy Sales and Inventory System version 1.0 to a version that contains a fix. As a temporary workaround, restrict access to the `create generic name()` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pharmacy Sales and Inventory System versions prior to 1.1 **Description** An issue in the Supplier Creation Interface allows remote exploitation via CSV injection. This occurs within the `create supplier()` function located in the `/Export csv/export` file when the `Address/Company Name` argument is manipulated. CSV injection is a technique where untrusted input is embedded into a CSV file, which can execute malicious commands when opened in a spreadsheet application. **Recommendations** Update the system to a version later than 1.0. As a temporary workaround, restrict access to the `create supplier()` function in the `/Export csv/export` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pharmacy Sales and Inventory System version 1.0 **Description** A flaw in the '/index.php?page=users' endpoint allows for remote cross-site scripting (XSS), which occurs when an attacker manipulates the `Name` argument. Cross-site scripting is a type of security flaw that allows an attacker to inject malicious scripts into web pages viewed by other users. **Recommendations** Avoid using the `Name` argument in the '/index.php?page=users' endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.