| Título | SourceCodester Leave Application System in PHP and SQLite3 1.0 Cross Site Scripting |
|---|
| Descrição | A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Leave Application System in PHP and SQLite3 developed by oretnom23.
The application fails to properly sanitize user-supplied input in multiple fields such as employee name, department, and user management fields.
An attacker can inject malicious JavaScript payloads which are stored in the database and executed automatically when the affected page is viewed by other users.
Example payload used during testing:
<img src=x onerror=alert('Spider')>
Steps to reproduce:
1. Login to the application.
2. Navigate to Add Employee or Add User.
3. Insert the payload into an input field.
Payload : <img src=x onerror=alert('Spider')>
4. Save the entry.
5. Navigate to the listing page.
The payload is stored in the database and executed when the page
This vulnerability may allow attackers to execute arbitrary JavaScript, hijack administrator sessions, or perform actions on behalf of other users. |
|---|
| Fonte | ⚠️ https://medium.com/@hemantrajbhati5555/stored-cross-site-scripting-xss-in-php-leave-application-system-3260c881a1fa |
|---|
| Utilizador | Hemant Raj Bhati (UID 95613) |
|---|
| Submissão | 15/03/2026 11h58 (há 18 dias) |
|---|
| Moderação | 31/03/2026 12h18 (16 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 354345 [SourceCodester Leave Application System 1.0 User Management Script de Site Cruzado] |
|---|
| Pontos | 20 |
|---|