| 제목 | CodeAstro Human Resource Management System in PHP CodeIgniter v1.0 Cross Site Scripting |
|---|
| 설명 | A stored cross-site scripting (XSS) vulnerability has been identified in the Project Management functionality of CodeAstro Human Resource Management System in PHP CodeIgniter ( https://codeastro.com/human-resource-management-system-in-php-codeigniter-with-source-code/ ). The issue exists because user-controlled input submitted through the (protitle) parameter is not properly sanitized before being stored and rendered within project-related pages.
An authenticated attacker can inject arbitrary JavaScript payloads into the Project Title field while creating a new project. The malicious payload is executed immediately after submission and continues to execute persistently whenever users visit the Projects Management page or open the affected project.
Since project titles are visible to every other users across the organization, successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of authenticated users. This may lead to session hijacking, unauthorized actions, phishing attacks, content manipulation, or theft of sensitive information accessible within the application context.
|
|---|
| 원천 | ⚠️ https://github.com/ashikmd0507/CVE/tree/main/Stored-XSS-via-Project-Title |
|---|
| 사용자 | ashikmd7 (UID 98284) |
|---|
| 제출 | 2026. 05. 26. PM 01:54 (18 날 ago) |
|---|
| 모더레이션 | 2026. 06. 12. PM 05:21 (17 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 370615 [CodeAstro Human Resource Management System 1.0 Projects Management Page /Projects/Add_Projects protitle 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|