CVE-2026-12130
Description
Stored XSS in CodeAstro HRMS 1.0 project title field allows persistent JavaScript execution, affecting all authenticated users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in CodeAstro HRMS 1.0 project title field allows persistent JavaScript execution, affecting all authenticated users.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in CodeAstro Human Resource Management System 1.0 within the Projects Management module. The flaw resides in the /Projects/Add_Projects endpoint, where the protitle parameter is not sanitized before being stored. This allows an authenticated attacker to inject arbitrary JavaScript code that is persisted and executed on subsequent page loads [1].
Exploitation
An attacker must be an authenticated user with project creation privileges. The exploit involves sending a crafted POST request to /hrsystem/Projects/Add_Projects containing a malicious payload in the protitle field (e.g., `). Upon successful submission, the payload is stored and immediately executed in the browser of any authenticated user who visits either /hrsystem/Projects/All_Projects or /hrsystem/Projects/view?P=...` [1].
Impact
Successful exploitation enables arbitrary JavaScript execution in the context of the victim's session, potentially leading to session hijacking, forced actions, or information disclosure. Because all projects are visible to other authenticated users, the attack can target any user within the organization who accesses the Projects section [1].
Mitigation
No official patch has been released by CodeAstro as of the publication date (2026-06-12). The vendor's website [2] offers no advisory or update for this version. Given that the exploit is publicly available, administrators should consider restricting access to the project creation functionality or implementing input validation/escaping on the protitle parameter. The application may be unmaintained, so a full upgrade or replacement is recommended.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `protitle` parameter is stored and rendered without sanitization or output encoding, allowing injection of arbitrary HTML and JavaScript."
Attack vector
An authenticated attacker POSTs a multipart request to `/hrsystem/Projects/Add_Projects` with a `protitle` value containing an SVG event handler (e.g. `<svg onload="alert('XSS')">`). The application stores the unsanitized payload and serves it without output encoding, causing persistent JavaScript execution in every browser that visits `All_Projects` or views the malicious project [ref_id=1]. The CVSS vector shows the attack requires low-privilege authentication and user interaction (clicking into the Projects section), but the stored payload then fires automatically for any other authenticated user.
Affected code
The vulnerability resides in `/hrsystem/Projects/Add_Projects` — the request body includes the `protitle` parameter, and the stored value is later rendered on `/hrsystem/Projects/All_Projects` and `/hrsystem/Projects/view?P=Ng==` [ref_id=1]. No patch is available in the supplied bundle.
What the fix does
The advisory in [ref_id=1] recommends applying output encoding via `htmlspecialchars($input, ENT_QUOTES, 'UTF-8')` before rendering user-supplied data inside HTML. No code patch is provided in this bundle, so the fix guidance remains at the conceptual level: sanitize the `protitle` input server-side and encode output at every point where stored project titles are displayed.
Preconditions
- authThe attacker must possess a valid authenticated session for the CodeAstro Human Resource Management System.
- inputThe attacker must have access to the 'Add Project' form at POST /hrsystem/Projects/Add_Projects.
- inputA victim user must browse the Projects section (All_Projects or the view page) to trigger the stored payload.
- networkNo special network position is needed — the form is accessible over HTTP via the standard web interface.
Reproduction
1. Log in to the HR Management System. 2. Navigate to the Projects section and open the "Add Project" form. 3. Inject `<svg onload="alert('Stored XSS by ashikmd7')">` into the Project Title field. 4. Submit the form. 5. Observe that the payload executes immediately after submission. 6. Visit `/hrsystem/Projects/All_Projects` or `/hrsystem/Projects/view?P=Ng==`; the JavaScript payload continues executing persistently for every user viewing the malicious project. [ref_id=1]
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.