Code-Projects Human Resource Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Human Resource Management System version 1.0.1. The issue arises in the UpdateRecruitmentById function within the handler recruitment.go file. This vulnerability allows for the injection of malicious scripts that are executed in the context of the user’s browser. The flaw can be exploited remotely and requires authenticated user interaction.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the recruitment management feature. Once there, use the UpdateRecruitmentById function to modify recruitment information. The application does not properly sanitize the input before it is saved, allowing for the introduction of XSS payloads. After saving, the injected script will execute when the data is retrieved and displayed.