Platform
php
Component
employee-management-system---stored-xss
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Employee Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts by manipulating parameters within the edit-profile.php file. A patch is available in version 1.0.1, addressing this security concern.
Successful exploitation of CVE-2024-1010 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to session hijacking, credential theft, or redirection to malicious websites. The attacker could potentially gain access to sensitive employee data stored within the system, including personal information, contact details, and potentially financial records. The blast radius is limited to users interacting with the affected edit-profile.php page.
This vulnerability is publicly disclosed and documented in VDB-252279. No active exploitation campaigns or proof-of-concept exploits have been widely reported as of the publication date (2024-01-29). The CVSS score of 3.5 indicates a low severity, suggesting a relatively low probability of exploitation without significant attacker effort.
Exploit Status
EPSS
0.20% (42% percentile)
CVSS Vector
The primary mitigation for CVE-2024-1010 is to immediately upgrade to version 1.0.1 of the Employee Management System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the fullname, phone, date of birth, address, and date of appointment parameters within the edit-profile.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the affected parameter.
Update to a patched version of the employee management system. If no version is available, review and filter the inputs of the fullname, phone, date of birth, address, and date of appointment fields in the edit-profile.php file to prevent malicious code injection. Implement data validation and sanitization on the server-side.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1010 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Employee Management System versions 1.0–1.0, allowing attackers to inject malicious scripts through parameter manipulation in edit-profile.php.
You are affected if you are using SourceCodester Employee Management System version 1.0 or 1.0. Check your version and upgrade immediately.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the affected parameters.
No active exploitation campaigns have been widely reported as of the publication date, but the vulnerability is publicly known and could be targeted.
Refer to the VDB entry VDB-252279 for details on this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.