| タイトル | code-projects Employee Profile Management System published November 15, 2025 Cross Site Scripting |
|---|
| 説明 | Summary
The vulnerability exists in the personnel profile viewing and reporting components due to improper output encoding. User-controlled fields (such as address, school names, degrees, etc.) stored in the database are rendered directly in view_personnel.php and print_personnel_report.php without HTML escaping, which allows attackers to inject arbitrary JavaScript.
Root Cause
The application fails to sanitize or encode user-controlled input when displaying personnel information.
Fields such as per_address, bs_school, ms_school, and dr_school are output using raw PHP echo statements like:
<?php echo $row['per_address']; ?>
Because there is no htmlspecialchars() or encoding function, attacker-supplied payloads such as <script>...</script> are executed in the victim’s browser.
Reproduction
Login as a normal user who has permission to add or edit personnel profiles.
Create or edit a personnel record and set the Address field (per_address) to:
<script>alert('XSS');</script>
Save the profile, then open either of the following pages:
view_personnel.php?per_id=<id>
print_personnel_report.php?per_id=<id>
The JavaScript payload triggers immediately because the application prints the malicious value directly inside HTML without escaping.
Impact
This vulnerability allows an attacker to execute arbitrary JavaScript in the browser of any administrator or user who views personnel data or prints reports.
Possible consequences include:
Session hijacking
Credential theft
Unauthorized actions via CSRF-like behavior
Injection of backdoor scripts into report pages
Manipulation of displayed personnel data
Because the payload is stored, the XSS persists across sessions and affects all viewers of the compromised personnel record. |
|---|
| ソース | ⚠️ https://github.com/shenxianyuguitian/employee-management-XSS |
|---|
| ユーザー | xuanyuesanshi (UID 88126) |
|---|
| 送信 | 2025年11月21日 08:24 (5 月 ago) |
|---|
| モデレーション | 2025年12月06日 18:20 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 334614 [code-projects Employee Profile Management System 1.0 /view_personnel.php per_address/dr_school/other_school クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|