Headline
CVE-2022-3502: POC/Stored Xss at main · draco1725/POC
A vulnerability was found in Human Resource Management System 1.0. It has been classified as problematic. This affects an unknown part of the component Leave Handler. The manipulation of the argument Reason leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-210831.
# Exploit Title: Human Resource Management System v1.0 - Normal user Apply leave “Reason” Parameter = Persistent XSS
# Exploit Author: Pratik Shetty
# Vendor Name: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
# Version: v1.0
# Tested on: Windows 10, Apache
Description:
A Persistent XSS issue in Human Resource Management System v1.0 allows to inject Arbitrary JavaScript in “Reason” Parameter.
Parameter:
Leave Apply = Reason
Payload:
<script>prompt(1)</script>
Steps:
Login as a normal user
Now in that we can see an tab named “Leave” in that go to “Apply”
The Parameter “Reason” in this we put our payload.
Payload: <script>prompt(1)</script>
Now fill the other details and save the file
Go to “Application” and we can see that our Payload has been executed.