itsourcecode Payroll Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the itsourcecode Payroll Management System version 1.0. The issue arises in the manage_employee_allowances.php file, where the 'id' URL parameter is not properly sanitized before being outputted. This flaw allows remote attackers to inject and execute arbitrary JavaScript in the context of the user's browser session. The vulnerability does not require authentication but does need user interaction to exploit.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's session, potentially leading to session hijacking, unauthorized actions, data theft, or malware distribution.

Reproduction

To reproduce this vulnerability, send a request to manage_employee_allowances.php with a crafted 'id' parameter that includes JavaScript code, such as a script tag with an alert. The injected script will execute in the browser.

Remediation

It is recommended to validate input by rejecting special characters and using an allow-list approach, encode output with functions like htmlspecialchars() or htmlentities(), and implement security headers such as Content-Security-Policy and X-XSS-Protection.