itsourcecode Leave Management System CVE-2025-11433
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in itsourcecode Leave Management System 1.0. This impacts the function redirect of the file /module/employee/controller.php?action=reset of the component Query Parameter Handler. Performing a manipulation of the argument ID results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
Reflected cross-site scripting (XSS) in itsourcecode Leave Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID query parameter in /module/employee/controller.php?action=reset, requiring user interaction to execute. Public exploit code is available, though the vulnerability carries low real-world risk (EPSS 0.03%, CVSS 2.0) due to authentication and user-interaction requirements limiting broad exploitation.
Technical ContextAI
The vulnerability exists in a PHP-based Leave Management System where the Query Parameter Handler component fails to sanitize user input from the ID parameter before reflecting it in the redirect function of the employee controller. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where unsanitized query parameters are echoed back to the browser without proper HTML encoding or context-aware output encoding. The attack vector targets the employee module's password reset functionality, a common high-value target in enterprise systems.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigations include: (1) Apply context-aware output encoding to all user-controlled query parameters in the redirect function, specifically HTML-encoding the ID parameter before inclusion in HTTP responses; (2) Implement input validation on the ID parameter to accept only expected alphanumeric or numeric formats, rejecting special characters and script tags at the boundary; (3) Use HTTP-only and Secure flags on session cookies to prevent XSS-based session hijacking; (4) Deploy a Web Application Firewall (WAF) with XSS filtering rules to detect and block payloads in the /module/employee/controller.php endpoint; (5) If the application supports Content Security Policy (CSP), implement strict CSP headers (e.g., default-src 'self'; script-src 'self') to restrict inline script execution. Contact itsourcecode.com directly for patch availability or consider migrating to a maintained alternative if vendor does not respond within a defined SLA.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today