| Titel | PHPGurukul Staff Leave Management System v1.0 Cross Site Scripting |
|---|
| Beschreibung | A critical stored cross-site scripting (XSS) vulnerability exists in the Staff Leave Management System due to unrestricted file upload functionality in the profile picture feature. The application fails to validate uploaded file types and content, allowing authenticated administrators to upload malicious SVG files containing embedded JavaScript code.
The vulnerability exists in two locations:
Admin profile update functionality (http://127.0.0.1:8000/Profile)
Staff creation functionality (http://127.0.0.1:8000/Admin/Staff/Add)
The application accepts SVG files without content inspection or sanitisation. When these files are rendered in the browser (either by viewing user profiles or opening images in new tabs), the embedded JavaScript executes in the security context of any user viewing the content, including other administrators. |
|---|
| Quelle | ⚠️ https://github.com/rsecroot/Staff-Leave-Management-System/blob/main/Cross%20Site%20Scripting.md |
|---|
| Benutzer | hackerfactory (UID 85869) |
|---|
| Einreichung | 06.01.2026 22:29 (vor 5 Monaten) |
|---|
| Moderieren | 08.01.2026 16:13 (2 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 340127 [PHPGurukul Staff Leave Management System 1.0 SVG File adminviews.py ADD_STAFF/UPDATE_STAFF profile_pic Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|