Summary:
A stored cross-site scripting (XSS) vulnerability exists in the First Name field of the user registration form. Unsanitized user-supplied input is stored in the database and rendered after login (on the login/dashboard flow), allowing persistent JavaScript execution in the context of any user who views the affected page.
Steps to Reproduce:
- Open the application and navigate to the registration page:
- Fill the registration form with the following values (only the relevant fields shown):
- First Name:
<img src=x onerror=alert(/Stored_XSS/)>
- Last Name: any value
- Email: email@example.test
- Password: yourpassword
- Fill any other required fields and submit the form.
- After successful registration, go to the login page (or use the provided flow) and log in with the registered email and password.
- Upon login , the injected payload executes and an alert popup with the text
Stored_XSS is displayed.
Vendor of the product(s) info
EbeyJoeRegi
Affected product(s)/code base info
Product: Personal-Expense-Tracker
Version: Git commit [0b588ed] (0b588ed) (tested Nov 2025)
Impact:
An attacker able to register an account can persist JavaScript that will execute in the browser of any user (including admins) who views the page where the name is rendered. Possible impacts include:
- Cookie/session theft (if cookies are accessible to JS)
- Account takeover (CSRF or session theft-assisted attacks)
- Defacement or persistent content injection
- Performing actions on behalf of other users (if combined with other flaws)
- User tracking and phishing within the app
Affected Project:
GitHub repo: https://github.com/EbeyJoeRegi/Personal-Expense-Tracker
Affected File(s):
register.php (input storage)- The rendering logic where the user's first name is displayed after login (e.g., header/dashboard/profile pages — examine
index.php, profile.php, or any template that prints the stored name).
Recommendation:
Use htmlspecialchars() or a templating engine that auto-escapes output.
Validate and sanitize input on both client and server side.
POC : https://drive.google.com/file/d/1OAQTWZk-Giqf44_Jq84dU_6HFkiiwgqC/view?usp=sharing
Discovered by:
Team DisclosureX
Summary:
A stored cross-site scripting (XSS) vulnerability exists in the First Name field of the user registration form. Unsanitized user-supplied input is stored in the database and rendered after login (on the login/dashboard flow), allowing persistent JavaScript execution in the context of any user who views the affected page.
Steps to Reproduce:
<img src=x onerror=alert(/Stored_XSS/)>Stored_XSSis displayed.Vendor of the product(s) info
EbeyJoeRegi
Affected product(s)/code base info
Product: Personal-Expense-Tracker
Version: Git commit [0b588ed] (0b588ed) (tested Nov 2025)
Impact:
An attacker able to register an account can persist JavaScript that will execute in the browser of any user (including admins) who views the page where the name is rendered. Possible impacts include:
Affected Project:
GitHub repo: https://github.com/EbeyJoeRegi/Personal-Expense-Tracker
Affected File(s):
register.php(input storage)index.php,profile.php, or any template that prints the stored name).Recommendation:
Use htmlspecialchars() or a templating engine that auto-escapes output.
Validate and sanitize input on both client and server side.
POC : https://drive.google.com/file/d/1OAQTWZk-Giqf44_Jq84dU_6HFkiiwgqC/view?usp=sharing
Discovered by:
Team DisclosureX