Employee Performance Evaluation System v1.0 — Persistent Cross-Site Scripting (XSS) — ‘Departments and Designations Module’.

Employee Performance Evaluation System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via adding new entries under the Departments and Designations module.

Vendor of Product :
https://www.sourcecodester.com

Steps to Reproduce :
1) Login with Admin Credentials and click on the ‘Designations or Departments’ button.
2) Click on Add New Button.
3) Now add the following payload in the input field of Department (for Department Tab) / Designation (for Designation Tab) and Description.

Payload : <svg/onload=prompt(/ISAGHOJARIA/)>

4) Click On Save
5) XSS payload is triggered.