code-projects Employee Management System applyleave.php cross site scripting

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Employee Management System 1.0 in the file /applyleave.php. The id query parameter is reflected into multiple href attributes without proper HTML escaping, as shown in the PoC from reference [2]. The vulnerability affects version 1.0 and possibly earlier versions.

Exploitation

An attacker can craft a malicious URL containing a payload in the id parameter, such as ">. By tricking a victim into visiting this URL (e.g., via a phishing email), the injected JavaScript executes in the victim's browser. No authentication is required, and the attack can be carried out remotely [2].

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session. This can lead to session hijacking (stealing cookies/tokens), account takeover, or UI manipulation for phishing attacks [2]. The impact is limited to the victim's browser but can compromise the user's account.

Mitigation

No official fix has been released as of the publication date. The vendor (code-projects.org) has not disclosed a patch [1]. Mitigation involves implementing proper input validation and output encoding for all user-supplied data in the id parameter, or using a web application firewall (WAF) to block malicious payloads. Organizations using this software should review and sanitize the vulnerable code path.