CampCodes DepEd Equipment Inventory System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CampCodes DepEd Equipment Inventory System version 1.0. This issue arises in the add employee feature, specifically within the data parameter of the add_employee.php file. The vulnerability allows attackers to inject malicious JavaScript, which is executed in the browsers of users viewing the affected employee data. This could lead to session hijacking, data theft, or other malicious activities.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the data.

Reproduction

To reproduce this vulnerability, inject a script into the 'data' parameter when adding a new employee through the 'add_employee.php' page. Once the employee is saved, the injected script will execute when the employee data is viewed.