This vulnerability involves improper input sanitization in the "limit" parameter of the view_purchase.php file in SourceCodester Sales and Inventory System 1.0. It allows reflected Cross-Site Scripting (CWE-79) attacks, where an attacker can inject malicious scripts that execute in the context of a victim's browser when they visit a crafted URL. The CVSS 3.1 vector indicates network attack vector, low attack complexity, high privileges required, user interaction required, and a scope change with limited confidentiality and integrity impact but no availability impact.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to information disclosure or manipulation of the user interface. The impact is limited to confidentiality and integrity with no direct availability impact. The medium severity reflects these limited but non-negligible risks.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider implementing input validation and output encoding on the "limit" parameter to mitigate reflected XSS risks. Monitoring for suspicious URL patterns targeting this parameter may also help detect attempts. No official patch or workaround is currently documented.