Employee Performance Evaluation System v1.0 — Persistent Cross-Site Scripting (XSS) — ‘Departments and Designations Module’.

--

Employee Performance Evaluation System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via adding new entries under the Departments and Designations module.

Vendor of Product :
https://www.sourcecodester.com

Steps to Reproduce :

Step 1: Login with Admin Credentials and click on the ‘Designations or Departments’ button.

Step 2: Click on Add New Button.

Step 3: Now add the following payload in the input field of Department (for Department Tab) / Designation (for Designation Tab) and Description.

Payload : <svg/onload=prompt(/ISAGHOJARIA/)>

Step 4: Click On Save

Step 5: XSS payload is triggered.

--

--