Projectworlds Expense Management System Cross-Site Scripting Vulnerability in Roles Page

A critical persistent cross-site scripting (XSS) vulnerability has been identified in Projectworlds Expense Management System version 1.0. The issue resides in the Roles Page, specifically within the file '/public/admin/roles/create'. This vulnerability allows authenticated attackers to inject malicious scripts into the application's database, which are then executed in the browsers of users, including administrators, who access the affected pages.

Impact

Exploitation of this vulnerability allows attackers to hijack user sessions by stealing session cookies from other users, including administrators. This could lead to unauthorized access to their accounts, allowing attackers to impersonate them and perform actions on their behalf, such as creating admin accounts or deleting records. Additionally, the vulnerability could be used for phishing attacks by injecting fake login forms to capture user credentials, or for keystroke logging to intercept sensitive information.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Add Roles' page. Once there, fill out the form with valid data, but insert a JavaScript payload into one of the text fields, such as 'Title'. After submitting the form, the payload will be stored in the database. The XSS vulnerability can be triggered by accessing the page as any user, including an administrator, and clicking 'Print', which will execute the injected script.

Remediation

To address this vulnerability, it is recommended to encode output from user-controlled data before rendering it in HTML. This can be done by using the 'htmlspecialchars()' function to convert special characters into HTML entities, preventing the browser from interpreting them as code.