header-logo
Suggest Exploit
vendor:
Employee Performance Evaluation System
by:
Ritesh Gohil
8.8
CVSS
HIGH
Persistent Cross Site Scripting
79
CWE
Product Name: Employee Performance Evaluation System
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: 2.3:a:sourcecodester:employee_performance_evaluation_system:1.0
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10/Kali Linux
2020

Employee Performance Evaluation System 1.0 – ‘ Task and Description’ Persistent Cross Site Scripting

Employee Performance Evaluation System 1.0 is vulnerable to Persistent Cross Site Scripting. An attacker can exploit this vulnerability by logging in with Admin Credentials and clicking on 'Task' button. Then, clicking on Add New Task Button and adding the payload 'ritesh"><img src=x onerror=alert(document.domain)>' into the input field of Task and Description. When the attacker clicks on Save, the XSS payload is triggered.

Mitigation:

Input validation should be done to prevent malicious code from being injected into the application. Sanitization of user input should be done to prevent malicious code from being executed.
Source

Exploit-DB raw data:

# Exploit Title: Employee Performance Evaluation System 1.0 - ' Task and Description' Persistent Cross Site Scripting
# Date: 08/12/2020
# Exploit Author: Ritesh Gohil
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html
# Version: 1.0
# Tested on: Windows 10/Kali Linux

Steps to Reproduce:
1) Login with Admin Credentials and click on 'Task' button.
2) Click on Add New Task Button.
3) Now add the following payload input field of Task and Description

Payload:  ritesh"><img src=x onerror=alert(document.domain)>

4) Click On Save
5) XSS payload is triggered.

Navigation

Suggest Exploit

Services By CQR