Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
AnalysisAI
Reflected cross-site scripting in SourceCodester Zoo Management System v1.0 login page allows remote attackers to inject arbitrary JavaScript or HTML via the msg parameter without authentication. The vulnerable parameter reflects user input directly to the browser without HTML encoding, enabling credential theft, session hijacking, or malware distribution through crafted URLs. Publicly available proof-of-concept code exists, increasing real-world exploitation risk.
Technical ContextAI
The vulnerability is a classic reflected XSS flaw rooted in improper input validation and output encoding. The login page's msg parameter, intended for displaying messages to users, accepts arbitrary input and renders it directly into the HTML response without sanitization or encoding. This violates the CWE-79 (Improper Neutralization of Input During Web Page Generation) principle. When an attacker crafts a malicious URL containing JavaScript payload (e.g., msg=<script>alert(1)</script>), the server reflects the payload verbatim into the response, causing the victim's browser to execute the attacker's code in the context of the vulnerable application's domain. The attack leverages the browser's same-origin policy trust model, where scripts served from the application domain have access to cookies, session storage, and the DOM.
RemediationAI
Implement immediate input validation and output encoding for the msg parameter on the login page. Encode all user-supplied input using context-appropriate encoding (HTML entity encoding for HTML context, JavaScript escaping for script context) before rendering to the browser. Use a security library such as OWASP ESAPI or similar to sanitize the msg parameter. Alternatively, avoid reflecting user input entirely by using parameterized templates or server-side message storage with secure identifiers. For SourceCodester Zoo Management System v1.0, no vendor-released patch has been identified at time of analysis; verify the vendor's official advisory at https://www.sourcecodester.com for any security updates. As a temporary mitigation, disable or restrict access to the login page msg parameter if operationally feasible, or implement a Web Application Firewall (WAF) rule to block payloads containing common XSS patterns (script tags, event handlers).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17899