| Title | SourceCodester Leave Application System in PHP and SQLite3 1.0 Cross Site Scripting |
|---|
| Description | A reflected cross-site scripting (XSS) vulnerability exists in the Leave Application System in PHP and SQLite3 version 1.0.
The vulnerability is caused by improper sanitization of user-supplied input via the id parameter in the URL. The input is directly reflected in the response without proper encoding, allowing attackers to inject arbitrary JavaScript code.
An attacker can craft a malicious URL containing a JavaScript payload which, when visited by a victim, executes in their browser context.
Proof of Concept (PoC):
http://localhost/php-sqlite-leave-application/?page=manage_user&id=<script>alert(1)</script>
Impact:
This vulnerability allows attackers to execute arbitrary JavaScript, steal session cookies, hijack user sessions, and perform actions on behalf of authenticated users.
Remediation:
Proper input validation and output encoding should be implemented. Use functions like htmlspecialchars() in PHP and enforce strict input validation. Implementing Content Security Policy (CSP) is also recommended. |
|---|
| Source | ⚠️ https://medium.com/@hemantrajbhati5555/reflected-cross-site-scripting-xss-in-leave-application-system-php-sqlite3-e7f915fcf21e |
|---|
| User | Hemant Raj Bhati (UID 95613) |
|---|
| Submission | 03/17/2026 14:35 (18 days ago) |
|---|
| Moderation | 04/03/2026 09:27 (17 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 354345 [SourceCodester Leave Application System 1.0 User Management cross site scripting] |
|---|
| Points | 0 |
|---|