code-projects Employee Management System changepassemp.php cross site scripting

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Employee Management System 1.0 in the file /changepassemp.php. The id query parameter is embedded into navigation link href attributes without proper HTML escaping [2]. This allows an attacker to inject arbitrary HTML attributes and JavaScript code.

Exploitation

An attacker can craft a malicious URL containing a payload in the id parameter, such as "OnMoUsEoVeR=prompt(1)//. When a victim visits this URL and moves their mouse over the affected link, the injected event handler executes JavaScript in the victim's browser [2]. The attack is remote and does not require authentication or user interaction beyond visiting the link.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking (cookie theft), account takeover, phishing attacks, or UI manipulation of the Employee Management System interface [2].

Mitigation

As of the publication date (2026-05-25), no official patch has been released for Employee Management System 1.0. The vendor, code-projects, has not provided a fix. Mitigation requires sanitizing or escaping the id parameter input and output. Until a patch is available, users should avoid clicking untrusted links or enable a web application firewall (WAF) to block XSS payloads [2].