code-projects Employee Management System eloginwel.php cross site scripting

Vulnerability

The Employee Management System 1.0 by code-projects [1] contains a reflected cross-site scripting (XSS) vulnerability in the file /eloginwel.php. The id query parameter is directly inserted into HTML anchor href attributes without proper escaping or sanitization [2]. This affects all versions of the software as no patch has been released.

Exploitation

An attacker can craft a malicious URL containing a payload in the id parameter, such as ">. When a victim (employee or admin) visits the crafted URL, the injected script is reflected in the response and executed in the victim's browser [2]. No authentication is required; the attacker only needs to trick the victim into clicking the link.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking (cookie theft), account takeover, or phishing attacks by manipulating the page content [2]. The impact is limited to the browser of the victim, but can compromise the entire application if an admin is targeted.

Mitigation

As of the publication date, no official patch has been released by code-projects [1]. The vendor has not acknowledged the vulnerability. Users should apply input validation and output encoding for the id parameter, or consider using a web application firewall to block malicious payloads. The vulnerability is publicly disclosed with a proof-of-concept [2].