CVE-2017-17994

Vulnerability

The Biometric Shift Employee Management System (latest version) contains a stored cross-site scripting (XSS) vulnerability in the criteria parameter of the index.php?user=competency_criteria page. The input is not sanitized, allowing injection of arbitrary HTML and JavaScript. [1]

Exploitation

An attacker can submit a POST request to index.php?user=competency_criteria with a crafted criteria parameter containing malicious script, such as ``. No authentication is required if the application is exposed, but typically the attacker would need to be a logged-in user with access to the competency criteria form. The payload is stored and executed when the page is viewed. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session theft, defacement, or further attacks against administrators or other users viewing the compromised page. [1]

Mitigation

No official patch or updated version has been released as of the publication date (2017-12-30). Users should sanitize user input by escaping HTML characters and implementing a Content Security Policy (CSP). The vendor should release a fix. [1]