Human Resource Management System
Monthly
SQL injection in CodeAstro Human Resource Management System 1.0 enables authenticated remote attackers to manipulate the unsanitized `ID` parameter within the `Invoice` function of `application/controllers/Payroll.php`, allowing arbitrary database reads and writes against the underlying HR and payroll data store. A public proof-of-concept exploit is hosted on GitHub, confirming the vulnerability is actively weaponizable by any attacker holding a low-privilege account. No vendor patch has been identified; the CVE is not in CISA KEV, but the CVSS 4.0 vector carries E:P (exploit published), reflecting confirmed public exploit availability.
Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated low-privilege user to inject persistent malicious script via the `protitle` argument on the `/Projects/Add_Projects` endpoint. When any other authenticated user (e.g., an HR administrator) subsequently views the Projects Management Page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. A public proof-of-concept exploit is hosted on GitHub, lowering the bar for exploitation, though KEV listing is absent and the CVSS 4.0 score of 2.0 reflects the constrained impact scope.
Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated remote attacker to inject persistent malicious scripts via the `todo_data` parameter at the `/dashboard/add_tod` endpoint. When a higher-privileged user subsequently views the to-do list in the dashboard, the stored payload executes silently in their browser context, enabling session hijacking or unauthorized privileged actions. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, but the low barrier to exploitation for any authenticated user elevates practical risk above the CVSS 4.0 score of 2.0 implies.
Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 enables a high-privileged authenticated attacker to inject persistent malicious script via the Notice Title parameter in the Notice Board Management component, executing in the browsers of any user who subsequently views the affected notice. The publicly available proof-of-concept on GitHub demonstrates exploitation via an SVG onload payload submitted through a POST request to /notice/All_notice. Despite remote accessibility, real-world severity is constrained by the requirement for prior high-privilege authentication and the need for victim interaction - reflected in the low CVSS score of 2.4 - and no public exploitation campaign has been identified at time of analysis.
A vulnerability was found in 1000 Projects Human Resource Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in CodeAstro Human Resource Management System 1.0 enables authenticated remote attackers to manipulate the unsanitized `ID` parameter within the `Invoice` function of `application/controllers/Payroll.php`, allowing arbitrary database reads and writes against the underlying HR and payroll data store. A public proof-of-concept exploit is hosted on GitHub, confirming the vulnerability is actively weaponizable by any attacker holding a low-privilege account. No vendor patch has been identified; the CVE is not in CISA KEV, but the CVSS 4.0 vector carries E:P (exploit published), reflecting confirmed public exploit availability.
Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated low-privilege user to inject persistent malicious script via the `protitle` argument on the `/Projects/Add_Projects` endpoint. When any other authenticated user (e.g., an HR administrator) subsequently views the Projects Management Page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. A public proof-of-concept exploit is hosted on GitHub, lowering the bar for exploitation, though KEV listing is absent and the CVSS 4.0 score of 2.0 reflects the constrained impact scope.
Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated remote attacker to inject persistent malicious scripts via the `todo_data` parameter at the `/dashboard/add_tod` endpoint. When a higher-privileged user subsequently views the to-do list in the dashboard, the stored payload executes silently in their browser context, enabling session hijacking or unauthorized privileged actions. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, but the low barrier to exploitation for any authenticated user elevates practical risk above the CVSS 4.0 score of 2.0 implies.
Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 enables a high-privileged authenticated attacker to inject persistent malicious script via the Notice Title parameter in the Notice Board Management component, executing in the browsers of any user who subsequently views the affected notice. The publicly available proof-of-concept on GitHub demonstrates exploitation via an SVG onload payload submitted through a POST request to /notice/All_notice. Despite remote accessibility, real-world severity is constrained by the requirement for prior high-privilege authentication and the need for victim interaction - reflected in the low CVSS score of 2.4 - and no public exploitation campaign has been identified at time of analysis.
A vulnerability was found in 1000 Projects Human Resource Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.