Employee Performance Evaluation System v1.0 — Persistent Cross-Site Scripting (XSS) — ‘Departments and Designations Module’.
Employee Performance Evaluation System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via adding new entries under the Departments and Designations module.
Vendor of Product :
https://www.sourcecodester.com
Steps to Reproduce :
Step 1: Login with Admin Credentials and click on the ‘Designations or Departments’ button.
Step 2: Click on Add New Button.
Step 3: Now add the following payload in the input field of Department (for Department Tab) / Designation (for Designation Tab) and Description.
Payload : <svg/onload=prompt(/ISAGHOJARIA/)>
Step 4: Click On Save
Step 5: XSS payload is triggered.