| 标题 | CodeAstro Human Resource Management System in PHP CodeIgniter v1.0 Cross Site Scripting |
|---|
| 描述 | A stored cross-site scripting (XSS) vulnerability has been identified in the Project Management functionality of CodeAstro Human Resource Management System in PHP CodeIgniter ( https://codeastro.com/human-resource-management-system-in-php-codeigniter-with-source-code/ ). The issue exists because user-controlled input submitted through the (protitle) parameter is not properly sanitized before being stored and rendered within project-related pages.
An authenticated attacker can inject arbitrary JavaScript payloads into the Project Title field while creating a new project. The malicious payload is executed immediately after submission and continues to execute persistently whenever users visit the Projects Management page or open the affected project.
Since project titles are visible to every other users across the organization, successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of authenticated users. This may lead to session hijacking, unauthorized actions, phishing attacks, content manipulation, or theft of sensitive information accessible within the application context.
|
|---|
| 来源 | ⚠️ https://github.com/ashikmd0507/CVE/tree/main/Stored-XSS-via-Project-Title |
|---|
| 用户 | ashikmd7 (UID 98284) |
|---|
| 提交 | 2026-05-26 13時54分 (29 日前) |
|---|
| 管理 | 2026-06-12 17時21分 (17 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 370615 [CodeAstro Human Resource Management System 1.0 Projects Management Page /Projects/Add_Projects protitle 跨网站脚本] |
|---|
| 积分 | 20 |
|---|