code-projects Employee Management System myprofileup.php cross site scripting

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Employee Management System version 1.0. The flaw resides in the /myprofileup.php file, where the id GET parameter is embedded directly into HTML attributes (specifically navigation links and hidden input fields) without proper output encoding or sanitization [2]. The vulnerable parameter is reflected in at least two sinks: a navigation link such as HREF="...?id=... and a hidden input value [2]. Affected version: Employee Management System 1.0 [1].

Exploitation

The attack is remotely exploitable with no authentication required [2]. An attacker crafts a malicious URL containing a payload in the id parameter, such as ?id=101%22%3E%3CScRiPt%3Ealert(1)%3C%2FScRiPt%3E [2]. When a victim visits this URL, the injected script is reflected in the response and executed in the victim's browser. The exploit has been published in a public proof-of-concept [2].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser session. This can lead to session hijacking (theft of cookies/tokens), account takeover by performing actions as the victim, and phishing or UI manipulation by modifying the page content [2]. The impact is limited to the browser client, but can compromise the user's session and data within the application.

Mitigation

As of the publication date (2026-05-25), no official patch has been released by the vendor (code-projects) [1]. The application is end-of-life or no longer maintained. The recommended mitigation is to remove or disable the /myprofileup.php file, implement proper input validation and output encoding (e.g., HTML entity encoding) for all user-supplied data, or replace the entire system with a supported alternative. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog at the time of writing.