Code-Projects Employee Profile Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Employee Profile Management System version 1.0. The issue arises in the file 'view_personnel.php', where user-controlled input such as addresses and school names is rendered without proper HTML escaping. This flaw allows for the injection of JavaScript, which is executed in the context of the user viewing the personnel data or printing reports.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the browsers of users, including administrators, who view the affected personnel records or print reports. This could lead to session hijacking, credential theft, unauthorized actions, injection of backdoor scripts into report pages, and manipulation of displayed personnel data.

Reproduction

To reproduce this vulnerability, log in as a user with permission to add or edit personnel profiles. Create or edit a personnel record, injecting a JavaScript payload into the Address field. After saving the profile, access either 'view_personnel.php' or 'print_personnel_report.php', where the injected script will execute immediately due to the lack of output encoding.

Remediation

It is recommended to apply HTML output encoding for all user-controlled data, sanitize and validate input on save or update, and adopt a global output-encoding strategy.