itsourcecode Payroll Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the itsourcecode Payroll Management System version 1.0. The issue resides in the manage_employee_deductions.php file, where user input through the 'id' parameter is not properly sanitized before being reflected in the page output. This flaw allows remote attackers to inject and execute arbitrary JavaScript in the context of the user's browser session. The vulnerability does not require authentication but relies on tricking a user into clicking a malicious link.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's session, potentially leading to session hijacking, unauthorized actions, data theft, or malware distribution.

Reproduction

To reproduce this vulnerability, send a request to manage_employee_deductions.php with an unsanitized 'id' parameter. The injected script will be executed as soon as the page is loaded.

Remediation

It is recommended to implement input validation to reject special characters, use an allow-list approach, and apply output encoding techniques such as htmlspecialchars() or htmlentities(). Additionally, consider adding security headers like Content-Security-Policy and X-XSS-Protection.