A critical Reflected Cross-Site Scripting (XSS) vulnerability in SourceCodester Sales and Inventory System allows unauthenticated attackers to execute malicious scripts in the context of a user's browser session.

The application fails to sanitize the "msg" parameter within the add_stock.php file. This allows a remote, unauthenticated attacker to craft a malicious URL containing arbitrary web scripts or HTML, which is then executed by the victim's browser when the link is accessed.

While XSS is often categorized as medium severity, the assigned CVSS score of 9.3 indicates a critical risk level in this specific environment, likely due to the potential for administrative session hijacking. Attackers can steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious phishing sites, leading to significant data loss and reputational damage.

Immediate Action: Apply the latest vendor patches immediately or manually implement input encoding/sanitization on the "msg" parameter in add_stock.php to prevent script execution.

Proactive Monitoring: Monitor web application firewall (WAF) logs for common XSS patterns, such as script tags or encoded JavaScript signatures, targeting the add_stock.php endpoint.

Compensating Controls: Deploy a Content Security Policy (CSP) header to restrict the execution of unauthorized inline scripts and prevent the loading of scripts from untrusted external domains.

Public Exploit Available: false

Given the critical CVSS score of 9.3, this vulnerability must be addressed with high urgency. Organizations should prioritize sanitizing all user-controllable inputs and consider moving to a more secure, actively maintained sales and inventory platform if vendor support is unavailable.