Employee Management System
Monthly
SQL injection in code-projects Employee Management System 1.0 allows remote low-privileged attackers to manipulate the `ID` parameter in `/process/applyleaveprocess.php`, enabling unauthorized database read and write operations with partial impact across confidentiality, integrity, and availability. A publicly available proof-of-concept exploit exists on GitHub, though no confirmed active exploitation (CISA KEV) has been recorded. EPSS at 0.03% (8th percentile) and an SSVC assessment of 'not automatable' indicate low broad exploitation likelihood, though the accessible POC meaningfully lowers the barrier for targeted manual attacks against organizations running this application.
SQL injection in the /psubmit.php endpoint of code-projects Employee Management System 1.0 enables authenticated remote attackers to manipulate the pid parameter and inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been released on GitHub, reducing the skill barrier for exploitation against unpatched deployments. Despite a low CVSS 4.0 base score of 2.1 reflecting partial impact scope and low-privilege requirements, the combination of network accessibility and public PoC warrants prompt remediation for any internet-facing instance; no public exploit identified meets CISA KEV criteria, and no vendor-released patch has been confirmed at time of analysis.
SQL injection in code-projects Employee Management System 1.0 exposes the /changepassemp.php password-change endpoint to database manipulation by authenticated low-privilege users over the network. The CVSS 4.0 score of 2.1 reflects limited, non-cascading impact - partial confidentiality, integrity, and availability degradation confined to the vulnerable component with no downstream system scope change. A publicly available proof-of-concept exploit exists on GitHub, though the EPSS score of 0.03% (8th percentile) and SSVC 'automatable: no' classification indicate this is unlikely to see widespread opportunistic exploitation; no public exploit identified at time of analysis corroborating active KEV-level campaigns.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `id` parameter in `/applyleave.php`. The attack requires victim interaction (UI:P per CVSS 4.0), meaning a victim must visit or be socially engineered into clicking a crafted URL. Publicly available exploit code exists on GitHub (no public exploit identified at time of analysis for widespread KEV-confirmed exploitation), though EPSS at 0.03% (10th percentile) signals negligible observed exploitation activity at scale.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the `ID` parameter of `/empproject.php`. A publicly available proof-of-concept exploit exists on GitHub, lowering the barrier to exploitation, though user interaction is required to trigger the payload. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.03% places this in the bottom 10th percentile of exploitation likelihood, consistent with the low CVSS 4.0 score of 2.1.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts into victim browsers via the unsanitized 'ID' parameter in /changepassemp.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting mass exploitation, but a publicly available proof-of-concept exploit exists on GitHub. No patch has been identified from the vendor; EPSS of 0.03% (10th percentile) indicates low observed exploitation probability, and this CVE is not listed in the CISA KEV catalog.
Cross-site scripting in code-projects Employee Management System 1.0 allows remote, unauthenticated attackers to inject malicious scripts via the ID parameter of /myprofileup.php, requiring only passive user interaction to execute. A publicly available proof-of-concept exploit exists on GitHub, though EPSS at 0.03% (10th percentile) and SSVC's 'not automatable' rating indicate minimal observed real-world exploitation activity. The vulnerability is limited to partial integrity impact on the vulnerable system with no confidentiality or availability impact, consistent with the CVSS 4.0 score of 2.1.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject and execute malicious JavaScript in a victim's browser by manipulating the `id` parameter of `/myprofile.php`. Exploitation requires passive user interaction (UI:P) - the victim must load a crafted URL - which constrains automated attack chains. A public proof-of-concept is confirmed available on GitHub, though the EPSS score of 0.03% (10th percentile) indicates minimal real-world exploitation activity; the vulnerability is not listed in CISA KEV.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject and execute malicious scripts in a victim's browser via the ID parameter of /eloginwel.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting automatable mass exploitation, though a publicly available proof-of-concept lowers the technical bar for targeted attacks. No vendor patch has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability despite POC availability.
Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.'. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Clickjacking vulnerability exists in Rems' Employee Management System 1.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in itsourcecode Employee Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Username parameter in /admin/index.php, resulting in limited confidentiality and integrity impact. Despite a critical classification in the initial report, the CVSS 4.0 vector assigns a severity of 2.1 with low scope impact and requires authenticated access (PR:L), significantly reducing real-world risk. Public exploit code is available, but the extremely low EPSS score (0.06%, 19th percentile) suggests minimal practical exploitation despite disclosure.
A vulnerability was found in Tutorials-Website Employee Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in Tutorials-Website Employee Management System 1.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SourceCodester (rems) Employee Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in add_employee.php via the First Name and Address text fields. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as problematic, was found in SourceCodester Employee Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in SourceCodester Employee Management System 1.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was found in Mayuri K Employee Management System up to 192.168.70.3 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in SourceCodester Employee Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in code-projects Employee Management System 1.0 allows remote low-privileged attackers to manipulate the `ID` parameter in `/process/applyleaveprocess.php`, enabling unauthorized database read and write operations with partial impact across confidentiality, integrity, and availability. A publicly available proof-of-concept exploit exists on GitHub, though no confirmed active exploitation (CISA KEV) has been recorded. EPSS at 0.03% (8th percentile) and an SSVC assessment of 'not automatable' indicate low broad exploitation likelihood, though the accessible POC meaningfully lowers the barrier for targeted manual attacks against organizations running this application.
SQL injection in the /psubmit.php endpoint of code-projects Employee Management System 1.0 enables authenticated remote attackers to manipulate the pid parameter and inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been released on GitHub, reducing the skill barrier for exploitation against unpatched deployments. Despite a low CVSS 4.0 base score of 2.1 reflecting partial impact scope and low-privilege requirements, the combination of network accessibility and public PoC warrants prompt remediation for any internet-facing instance; no public exploit identified meets CISA KEV criteria, and no vendor-released patch has been confirmed at time of analysis.
SQL injection in code-projects Employee Management System 1.0 exposes the /changepassemp.php password-change endpoint to database manipulation by authenticated low-privilege users over the network. The CVSS 4.0 score of 2.1 reflects limited, non-cascading impact - partial confidentiality, integrity, and availability degradation confined to the vulnerable component with no downstream system scope change. A publicly available proof-of-concept exploit exists on GitHub, though the EPSS score of 0.03% (8th percentile) and SSVC 'automatable: no' classification indicate this is unlikely to see widespread opportunistic exploitation; no public exploit identified at time of analysis corroborating active KEV-level campaigns.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `id` parameter in `/applyleave.php`. The attack requires victim interaction (UI:P per CVSS 4.0), meaning a victim must visit or be socially engineered into clicking a crafted URL. Publicly available exploit code exists on GitHub (no public exploit identified at time of analysis for widespread KEV-confirmed exploitation), though EPSS at 0.03% (10th percentile) signals negligible observed exploitation activity at scale.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the `ID` parameter of `/empproject.php`. A publicly available proof-of-concept exploit exists on GitHub, lowering the barrier to exploitation, though user interaction is required to trigger the payload. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.03% places this in the bottom 10th percentile of exploitation likelihood, consistent with the low CVSS 4.0 score of 2.1.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts into victim browsers via the unsanitized 'ID' parameter in /changepassemp.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting mass exploitation, but a publicly available proof-of-concept exploit exists on GitHub. No patch has been identified from the vendor; EPSS of 0.03% (10th percentile) indicates low observed exploitation probability, and this CVE is not listed in the CISA KEV catalog.
Cross-site scripting in code-projects Employee Management System 1.0 allows remote, unauthenticated attackers to inject malicious scripts via the ID parameter of /myprofileup.php, requiring only passive user interaction to execute. A publicly available proof-of-concept exploit exists on GitHub, though EPSS at 0.03% (10th percentile) and SSVC's 'not automatable' rating indicate minimal observed real-world exploitation activity. The vulnerability is limited to partial integrity impact on the vulnerable system with no confidentiality or availability impact, consistent with the CVSS 4.0 score of 2.1.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject and execute malicious JavaScript in a victim's browser by manipulating the `id` parameter of `/myprofile.php`. Exploitation requires passive user interaction (UI:P) - the victim must load a crafted URL - which constrains automated attack chains. A public proof-of-concept is confirmed available on GitHub, though the EPSS score of 0.03% (10th percentile) indicates minimal real-world exploitation activity; the vulnerability is not listed in CISA KEV.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject and execute malicious scripts in a victim's browser via the ID parameter of /eloginwel.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting automatable mass exploitation, though a publicly available proof-of-concept lowers the technical bar for targeted attacks. No vendor patch has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability despite POC availability.
Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.'. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Clickjacking vulnerability exists in Rems' Employee Management System 1.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in itsourcecode Employee Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Username parameter in /admin/index.php, resulting in limited confidentiality and integrity impact. Despite a critical classification in the initial report, the CVSS 4.0 vector assigns a severity of 2.1 with low scope impact and requires authenticated access (PR:L), significantly reducing real-world risk. Public exploit code is available, but the extremely low EPSS score (0.06%, 19th percentile) suggests minimal practical exploitation despite disclosure.
A vulnerability was found in Tutorials-Website Employee Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in Tutorials-Website Employee Management System 1.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SourceCodester (rems) Employee Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in add_employee.php via the First Name and Address text fields. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as problematic, was found in SourceCodester Employee Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in SourceCodester Employee Management System 1.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was found in Mayuri K Employee Management System up to 192.168.70.3 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in SourceCodester Employee Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.