itsourcecode Payroll Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the itsourcecode Payroll Management System, specifically in version 1.0. The issue resides in the navbar.php file, where user input through the 'page' URL parameter is not properly sanitized before being displayed. This flaw allows attackers to inject and execute arbitrary JavaScript in the context of the user's browser session. The vulnerability can be exploited remotely, without authentication, by convincing a user to click on a malicious link.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's session, potentially leading to session hijacking, unauthorized actions, data theft, or malware distribution.

Reproduction

To reproduce this vulnerability, navigate to the navbar.php page and append a crafted 'page' parameter that includes JavaScript payloads, such as script tags or JavaScript URI schemes. Once the page loads, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to implement input validation to reject special characters, use an allow-list approach, and apply output encoding techniques such as htmlspecialchars() or htmlentities(). Additionally, consider adding security headers like Content-Security-Policy and X-XSS-Protection.