SourceCodester Best Employee Management System Add Role Page Role.php cross site scripting

Vulnerability

A cross-site scripting (XSS) vulnerability exists in SourceCodester Best Employee Management System version 1.0. The flaw resides in the /admin/Operations/Role.php file, specifically within the Add Role functionality. The assign_name and description parameters are not properly sanitized, allowing an attacker to inject arbitrary JavaScript or HTML code. The vulnerability is classified as problematic (low severity) and is remotely exploitable [1].

Exploitation

An attacker needs only network access to the web application. No authentication is required to reach the vulnerable page. The attacker can craft a malicious payload in the assign_name or description fields and submit the Add Role form. The injected script will execute in the context of the victim's browser when the role list is rendered [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS). An attacker can execute arbitrary JavaScript in the browser of any administrator who views the role list, potentially leading to session hijacking, credential theft, or defacement of the admin interface [1].

Mitigation

SourceCodester has not released a patch for this vulnerability as of the publication date (2025-02-23). Users should manually validate and sanitize the assign_name and description inputs in /admin/Operations/Role.php or implement a Web Application Firewall (WAF) rule to block XSS payloads. The software may be End-of-Life (EOL), so upgrading to an alternative employee management system is recommended [1].