Kashipara Online Attendance Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Kashipara Online Attendance Management System version 1.0. This issue resides in the manage-employee.php page, where remote attackers can execute arbitrary scripts by injecting them through the department parameter. The injected scripts are executed when an admin reviews the comments, potentially compromising the admin's account and the application itself.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the admin's browser. This could lead to stealing admin cookies, hijacking sessions, or performing actions on behalf of the admin.

Reproduction

To reproduce this vulnerability, log into the admin dashboard and navigate to the 'Manage Employees' section. Intercept the request to the edit employee page using Burp Suite. Modify the department parameter to include a script payload, then send the request. After the payload is stored, it will execute when the 'View' button is clicked, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to implement strict input validation to block harmful scripts, encode user inputs before rendering, and use a strong Content Security Policy to block unauthorized scripts.