ZeroWdd Studentmanager Cross-Site Scripting Vulnerability in Leave Management Module

A stored cross-site scripting vulnerability has been identified in ZeroWdd Studentmanager versions prior to 2151560fc0a50ec00426785ec1e01a3763b380d9. The issue arises in the LeaveController's addLeave function, where user input in the 'Reason for Leave' field is not properly sanitized before being displayed to other users. This vulnerability can be exploited remotely, and has been publicly disclosed along with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the leave application, potentially compromising administrator accounts.

Reproduction

To reproduce this vulnerability, log in as a student account and navigate to the leave management section. Submit a new leave request, inserting a malicious payload, such as a link including JavaScript, into the 'Reason for Leave' field. Then, log in as an administrator and view the submitted leave application. The injected script will execute, demonstrating the cross-site scripting vulnerability.