Code-Projects Employee Management System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Code-Projects Employee Management System version 1.0. The issue arises in the file '370project/mark.php', where user input is not properly sanitized before being output, allowing attackers to inject malicious scripts. This vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for the injection of JavaScript into the page, which can be executed in the context of the user's browser. This could lead to session hijacking, account takeover, or phishing by manipulating the user interface.

Reproduction

To reproduce this vulnerability, send a GET request to '370project/mark.php' with the 'id' and 'pid' query parameters. The 'pid' parameter should be crafted to include a script tag payload, which will be reflected in an HTML attribute without proper escaping. When the response is rendered in a browser, the injected script will execute, confirming the presence of the cross-site scripting vulnerability.