CVE-2017-17995

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Biometric Shift Employee Management System (latest version) in the Last_Name parameter when processing requests to index.php?user=ajax [1]. The application fails to sanitize user input before storing it, which means the payload is persisted and executed when other users view the affected page [1].

Exploitation

An attacker with network access to the application can send a POST request to index.php?user=ajax with a crafted Last_Name parameter containing JavaScript payload, such as jack'\">"'" [1]. No special privileges or authentication state is required beyond the ability to submit the employee registration form [1]. The payload is stored and later rendered unsanitized in the application interface, triggering execution when any user visits the affected page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other users' sessions, potentially leading to session hijacking, credential theft, defacement, or further attacks such as CSRF [1]. The impact is limited by the browser's same-origin policy but can be significant depending on the privileges of the victim user [1].

Mitigation

As of the report date (December 2017), no fixed version had been released by the vendor [1]. The application has not been updated since, and users should assume it is permanently vulnerable. Mitigation requires input sanitization on the server side for the Last_Name parameter and output encoding. Until a patch is available, administrators should restrict network access to the application or implement a Web Application Firewall (WAF) to filter XSS payloads [1].