Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated)

EDB-ID:

49854

CVE:

N/A




Platform:

PHP

Date:

2021-05-10


# Exploit Title: Human Resource Information System  0.1  - 'First Name'  Persistent Cross-Site Scripting (Authenticated)
# Date: 04-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html
# Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code
# Version: 0.1
# Tested on: PHP 7.4.11 , Linux x64_x86

# --- Description --- #

# The web application allows for an  assisstant to inject persistent Cross-Site-Scripting payload which will be executed in both assistant and Super Admin panel  


# --- Proof of concept --- #

1- Login as Assistant and go to:  http://localhost/code/Admin_Dashboard/Add_employee.php
2- Click on Add Employee button
3- Inject this payload into First Name input : <script>alert('xss')</script> 
4- and fill other inputs as you want (Other inputs might be vulnerable as well) then click on Save button.
5- refresh the page and Xss popup will be triggered.

6- Now if Super Admin visit this page in his/her Dashboard : http://localhost/code/Superadmin_Dashboard/Add_employee.php
7- Our Xss payload will be executed on Super Admin Browser

** Attacker can use this vulnerability to take over Super Admin account **