Pharmacy Sales And Inventory System
Monthly
CSV injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged remote attackers to embed malicious spreadsheet formula payloads via the Address and Company Name fields in the Supplier Creation Interface, which are then written unsanitized to exported CSV files. When downstream staff open the exported file in a spreadsheet application such as Microsoft Excel or LibreOffice Calc, the injected formulas execute in that client application's context, enabling information disclosure, data manipulation, or further client-side exploitation. A publicly available proof-of-concept exists (GitHub), though no active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.
Stored or reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the generic_name parameter of the create_generic_name function at /ShowForm/create_generic_name/main. Exploitation requires victim user interaction (UI:R) to trigger script execution, limiting impact to low integrity loss with no confidentiality or availability impact (CVSS 3.5). Publicly available exploit code exists per the GitHub issue tracker reference, though this CVE is not listed in the CISA KEV catalog and EPSS data was not provided in source intelligence.
Stored or reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a low-privileged authenticated remote attacker to inject malicious JavaScript via the `medicine_presentation` argument in the `create_medicine_presentation` function at `/ShowForm/create_medicine_presentation/main`. Exploitation requires a victim user to interact with the affected page, limiting blast radius but still enabling session hijacking, credential theft, or UI redirection against authenticated users. Publicly available exploit code exists per a GitHub issue disclosure; no CISA KEV listing is present.
Stored or reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a remote, low-privileged attacker to inject arbitrary JavaScript via the company_name argument in the create_supplier function at /ShowForm/create_supplier/main. Successful exploitation requires a victim user to interact with the malicious content, limiting blast radius, but the CVSS temporal metric confirms a proof-of-concept exploit is publicly available via GitHub. No active exploitation has been identified in CISA KEV, though the low attack complexity and public POC make this a credible risk for unpatched deployments handling sensitive pharmaceutical inventory data.
Cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the `medicine_name` parameter at the `/ShowForm/create_medicine_name/main` endpoint, executing arbitrary scripts in the browsers of other users who view the affected page. The CVSS 4.0 score of 2.0 reflects a narrow impact profile - no confidentiality loss and only low integrity impact - but a publicly available proof-of-concept exploit exists (E:P), lowering the barrier to abuse in multi-user deployments such as shared pharmacy management environments. No active exploitation has been confirmed via CISA KEV.
CSV injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged remote attackers to embed malicious spreadsheet formula payloads via the Address and Company Name fields in the Supplier Creation Interface, which are then written unsanitized to exported CSV files. When downstream staff open the exported file in a spreadsheet application such as Microsoft Excel or LibreOffice Calc, the injected formulas execute in that client application's context, enabling information disclosure, data manipulation, or further client-side exploitation. A publicly available proof-of-concept exists (GitHub), though no active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.
Stored or reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the generic_name parameter of the create_generic_name function at /ShowForm/create_generic_name/main. Exploitation requires victim user interaction (UI:R) to trigger script execution, limiting impact to low integrity loss with no confidentiality or availability impact (CVSS 3.5). Publicly available exploit code exists per the GitHub issue tracker reference, though this CVE is not listed in the CISA KEV catalog and EPSS data was not provided in source intelligence.
Stored or reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a low-privileged authenticated remote attacker to inject malicious JavaScript via the `medicine_presentation` argument in the `create_medicine_presentation` function at `/ShowForm/create_medicine_presentation/main`. Exploitation requires a victim user to interact with the affected page, limiting blast radius but still enabling session hijacking, credential theft, or UI redirection against authenticated users. Publicly available exploit code exists per a GitHub issue disclosure; no CISA KEV listing is present.
Stored or reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a remote, low-privileged attacker to inject arbitrary JavaScript via the company_name argument in the create_supplier function at /ShowForm/create_supplier/main. Successful exploitation requires a victim user to interact with the malicious content, limiting blast radius, but the CVSS temporal metric confirms a proof-of-concept exploit is publicly available via GitHub. No active exploitation has been identified in CISA KEV, though the low attack complexity and public POC make this a credible risk for unpatched deployments handling sensitive pharmaceutical inventory data.
Cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the `medicine_name` parameter at the `/ShowForm/create_medicine_name/main` endpoint, executing arbitrary scripts in the browsers of other users who view the affected page. The CVSS 4.0 score of 2.0 reflects a narrow impact profile - no confidentiality loss and only low integrity impact - but a publicly available proof-of-concept exploit exists (E:P), lowering the barrier to abuse in multi-user deployments such as shared pharmacy management environments. No active exploitation has been confirmed via CISA KEV.