CodeAstro Online Railway Reservation System Add Employee Page admin-add-employee.php cross site scripting
Description
A vulnerability, which was classified as problematic, was found in CodeAstro Online Railway Reservation System 1.0. Affected is an unknown function of the file /admin/admin-add-employee.php of the component Add Employee Page. The manipulation of the argument emp_fname /emp_lname /emp_nat_idno/emp_addr leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in CodeAstro Online Railway Reservation System 1.0 allows remote attackers to inject arbitrary JavaScript via employee profile fields.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in CodeAstro Online Railway Reservation System version 1.0. The affected pages are /admin/admin-add-employee.php and /admin/admin-update-employee.php, where the parameters emp_fname, emp_lname, emp_nat_idno, and emp_addr are echoed directly into HTML without proper sanitization or validation. This allows an attacker to inject arbitrary JavaScript code that is stored and executed when the page is viewed [1].
Exploitation
An attacker must be authenticated as an administrator to access the employee management pages. The reference provides default credentials (admin@mail.com / codeastro.com) [1]. Once logged in, the attacker can navigate to either the add or update employee page and inject a malicious payload (e.g., ``) into any of the four vulnerable fields. The payload is stored in the database and executed in the browser of any admin who subsequently views the affected page [1].
Impact
Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the admin panel. This can lead to session cookie theft, unauthorized actions performed on behalf of the admin, or defacement of the admin interface. The impact is confined to the admin area but could compromise the entire application if admin credentials are stolen [1].
Mitigation
As of the publication date (2024-08-15), no official patch has been released by the vendor. The application may be end-of-life or unsupported. As a workaround, implement strict input validation and output encoding for all employee profile fields. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2=1.0+ 1 more
- (no CPE)range: =1.0
- (no CPE)range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied input in emp_fname, emp_lname, emp_nat_idno, and emp_addr is echoed directly into HTML without sanitization or validation."
Attack vector
An attacker with admin panel access (credentials: admin@mail.com / codeastro.com) can inject arbitrary JavaScript via the `emp_fname`, `emp_lname`, `emp_nat_idno`, or `emp_addr` parameters on the Add Employee or Update Employee pages [ref_id=1]. The payload is stored in the database and executed when any user views the employee records, making this a stored cross-site scripting attack [ref_id=1]. The attack is launched remotely over HTTP.
Affected code
The vulnerability exists in `/admin/admin-add-employee.php` and `/admin/admin-update-employee.php`. The parameters `emp_fname`, `emp_lname`, `emp_nat_idno`, and `emp_addr` are echoed directly into HTML without sanitization [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory recommends proper sanitization and validation of the `emp_fname`, `emp_lname`, `emp_nat_idno`, and `emp_addr` parameters before echoing them into HTML [ref_id=1]. Remediation would involve escaping HTML special characters or using a context-appropriate output encoding function.
Preconditions
- authAttacker must have valid admin credentials (admin@mail.com / codeastro.com) to access the admin panel
- networkThe application must be reachable over the network
- inputAttacker must submit crafted input via the emp_fname, emp_lname, emp_nat_idno, or emp_addr parameters
Reproduction
1. Log in at `/admin/emp-login.php` with Email `admin@mail.com` and Password `codeastro.com`. 2. Navigate to `/admin/admin-add-employee.php`. 3. Enter `
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/CYB84/CVE_Writeup/blob/main/Online%20Railway%20Reservation%20System/Stored%20XSS.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.