Leave Management System
Monthly
SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate the `email_id` parameter in `/admin/add_staff.php`, enabling arbitrary SQL query manipulation against the underlying database. The CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - confidentiality, integrity, and availability are each rated Low with no lateral impact to subsequent systems - and EPSS at 0.03% (8th percentile) indicates negligible real-world exploitation probability despite a publicly available proof-of-concept on GitHub. No active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.
Reflected cross-site scripting (XSS) in itsourcecode Leave Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID query parameter in /module/employee/controller.php?action=reset, requiring user interaction to execute. Public exploit code is available, though the vulnerability carries low real-world risk (EPSS 0.03%, CVSS 2.0) due to authentication and user-interaction requirements limiting broad exploitation.
A vulnerability was identified in itsourcecode Leave Management System 1.0. This affects an unknown function of the file /reset.php. Such manipulation of the argument employid leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate the `email_id` parameter in `/admin/add_staff.php`, enabling arbitrary SQL query manipulation against the underlying database. The CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - confidentiality, integrity, and availability are each rated Low with no lateral impact to subsequent systems - and EPSS at 0.03% (8th percentile) indicates negligible real-world exploitation probability despite a publicly available proof-of-concept on GitHub. No active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.
Reflected cross-site scripting (XSS) in itsourcecode Leave Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID query parameter in /module/employee/controller.php?action=reset, requiring user interaction to execute. Public exploit code is available, though the vulnerability carries low real-world risk (EPSS 0.03%, CVSS 2.0) due to authentication and user-interaction requirements limiting broad exploitation.
A vulnerability was identified in itsourcecode Leave Management System 1.0. This affects an unknown function of the file /reset.php. Such manipulation of the argument employid leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.