PHPGurukul Staff Leave Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Staff Leave Management System version 1.0. The issue arises from unrestricted file uploads in the profile picture feature, specifically within the adminviews.py file. The application allows authenticated administrators to upload malicious SVG files containing JavaScript, which is executed when the files are viewed in the browser. This vulnerability is present in both the staff creation and profile update functionalities.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files with embedded JavaScript are executed in the context of the user viewing the profile or staff list.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the 'Add Staff' or 'Profile' update pages. Upload a malicious SVG file as the profile picture. Once the file is uploaded, the JavaScript embedded in the SVG will execute, demonstrating the cross-site scripting vulnerability. This can also be reproduced as a staff member by uploading the SVG file and then viewing it in a new tab, which will trigger the JavaScript execution.

Remediation

It is recommended to implement file type restrictions, validate file contents, sanitize SVG files if necessary, serve uploaded files safely, and apply a content security policy to mitigate the risk of cross-site scripting.