code-projects Employee Management System myprofile.php cross site scripting
Description
A security vulnerability has been detected in code-projects Employee Management System 1.0. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument ID leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Employee Management System 1.0 has a reflected XSS in /myprofile.php via the id parameter, enabling session hijacking or account takeover.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in code-projects Employee Management System 1.0. The vulnerable endpoint is GET /myprofile.php, where the id parameter is inserted into HTML attributes (navigation links and a hidden input) without proper escaping. The application does not sanitize or encode the id value before reflecting it in the response. Affected version: Employee Management System 1.0 [1][2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. The attack requires crafting a malicious URL containing a payload in the id parameter. For example, the payload "> when URL-encoded as %22%3E%3CScRiPt%3Ealert%2855%29%3C%2FScRiPt%3E is placed in the id parameter. When a victim visits this crafted URL, the injected script executes in the victim's browser. No special privilege or user interaction beyond clicking the link is required [2].
Impact
Successful exploitation allows an attacker to execute arbitrary HTML/JavaScript in the victim's browser within the security context of the Employee Management System. This can lead to session hijacking by stealing cookies or authentication tokens, account takeover by performing actions on behalf of the victim, or phishing/UI manipulation to trick users into divulging credentials. The impact is limited to the victim's browser session and does not grant server-side code execution [2].
Mitigation
As of the publication date (2026-05-25), no official patch has been released by the vendor. The project page on code-projects.org provides the source code [1], but the version listed (1.0) is vulnerable. Users should apply input validation and output encoding on the id parameter within /myprofile.php to neutralize XSS vectors. Until a fix is issued, organizations should restrict access to the application or implement a web application firewall (WAF) to block malicious payloads [2]. The vulnerability is publicly disclosed and may be added to the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/zzzxc643/CVE1/blob/main/EMPLOYEE_MANAGEMENT_SYSTEM/vul13.mdmitreexploit
- vuldb.com/submit/813698mitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.com/vuln/365397mitrevdb-entrytechnical-description
- vuldb.com/vuln/365397/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.