| Titel | CodeAstro Human Resource Management System in PHP CodeIgniter 1.0 Cross Site Scripting |
|---|
| Beschreibung | A Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the Notice Management functionality of CodeAstro Human Resource Management System in PHP CodeIgniter. You can download the source code via https://codeastro.com/human-resource-management-system-in-php-codeigniter-with-source-code/.
The application allows authenticated low-privileged users to create arbitrary notice board entries without properly sanitizing or encoding user-supplied input before rendering it within the dashboard interface.
An authenticated attacker can exploit this issue by injecting malicious JavaScript payloads into the "Notice Title" field during notice creation. The injected payload is stored persistently on the server and automatically executed whenever users access the dashboard page where notice board entries are globally displayed.
The vulnerability can be reproduced using the following steps:
1. Login to the application using:
URL: http://localhost/hrsystem/
Email: [email protected]
Password: Password@123
2. Navigate to Notice Management Section:
http://localhost/hrsystem/notice/All_notice
3. Click on "Add Notice".
4. In the "Notice Title" field, inject the following payload:
<svg onload="alert('Stored XSS Triggered by Ashik Mohamed')">
5. Select any document attachment and published date.
6. Submit the notice entry.
Upon submission, the JavaScript payload executes immediately, confirming successful stored cross-site scripting.
Furthermore, the malicious payload remains stored within the application's notice board functionality and is automatically executed whenever authenticated users access the dashboard page located at:
http://localhost/hrsystem/dashboard/Dashboard
Because the notice board is globally rendered across organizational dashboards, the vulnerability affects all authenticated users, including higher privileged administrator accounts, resulting in a privilege-boundary crossing attack vector.
Successful exploitation may allow attackers to perform arbitrary JavaScript execution in victim browsers, potentially enabling session hijacking, phishing attacks, interface manipulation, unauthorized actions performed on behalf of victims, or additional client-side compromise.
Additionally, the application does not provide any notice deletion functionality through the user interface. Once a malicious notice is created, the payload remains persistently active until manually removed through backend/database intervention, increasing operational impact, persistence of exploitation, and remediation complexity. |
|---|
| Benutzer | ashikmd7 (UID 98284) |
|---|
| Einreichung | 21.05.2026 09:35 (vor 20 Tagen) |
|---|
| Moderieren | 07.06.2026 12:13 (17 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 369111 [CodeAstro Human Resource Management System 1.0 Notice Board Management /notice/All_notice Notice Title Cross Site Scripting] |
|---|
| Punkte | 17 |
|---|