code-projects Employee Management System empproject.php cross site scripting

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Employee Management System 1.0 in the file /empproject.php. The id query parameter is reflected into navigation link href attributes without HTML escaping [1][2]. The application is a PHP project available from code-projects.org.

Exploitation

An unauthenticated attacker can craft a malicious URL containing an XSS payload in the id parameter. For example, sending a GET request to /empproject.php?id=%22%3E%3CScRiPt%3Ealert%28888%29%3C%2FsCrIpT%3E causes the injected script to be embedded in the response. The attack is remote and requires no special access [2]. The victim must simply visit the crafted URL to trigger execution.

Impact

Successful exploitation allows arbitrary JavaScript execution in the victim's browser within the security context of the application. This can lead to session hijacking (cookie theft), account takeover, or phishing/UI manipulation [2]. The scope is limited to the client side, but can affect sensitive user sessions.

Mitigation

As of the publication date (2026-05-25), no official patch has been released by the vendor. The project appears to be a legacy or example application from code-projects.org [1]. Users should sanitize all user-supplied input, specifically HTML-encode the id parameter before reflecting it in href attributes. Until a fix is made available, application administrators should consider input validation and output encoding as a temporary workaround.