# Reflected XSS - Employee Notes
## Reflected XSS (authenticated)
Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II) via POST requests to:
{% hint style="warning" %}
/index.php?mode=mNote\&job=update
{% endhint %}
### Description
The application is vulnerable to multiple instances of stored (persistent) XSS in the Employee Notes functionality. Malicious input provided by an authenticated user is stored server-side and later rendered into the DOM without proper encoding or sanitization. This allows execution of arbitrary JavaScript in the context of any user viewing the affected pages.
Vulnerable parameters:
* title – Reflected unsanitized on /index.php (Employee Notes title field).
* description – Reflected unsanitized on /viewnote.php?id=\ (generated when printing or viewing a note).
{% hint style="danger" %}
This vulnerability allows attackers to execute malicious scripts, alter the user's interface, and potentially redirect users to malicious sites.
{% endhint %}
***
### Exploitation
* Inject malicious javascript into either the title or the description of the employee note
* Title:
* Once the note has been saved, the injected title is now exploitable upon viewing the home page and or when printing the employee notes.
* Description:
* Once the note has been saved, the injected description is only exploitable when the attacker prints the employee note. That link can then be shared to other authenticated users.
* **Send** the crafted URL to a victim via phishing, social engineering, or any other attack vector.
* When the victim navigates to the modified URL, the application reflects the malicious input directly into the browser without sufficient sanitization.
* **The victim’s browser renders the injected payload** in the error message, allowing arbitrary script execution within the victim's browser.
### Example 1 - Title XSS
* Create a new note\
* Inject a malicious XSS payload into the title and save\
* Click on the malicious title on the Employee Notes page\
\
### Example 2 - Description XSS
* Create a new note\
* Inject a malicious XSS payload into the description and save\
* Print the employee note to generate a malicious link\
* Click on the malicious description\
* *\*It is worth mentioning that on the print page the title is also exploitable and vulnerable to XSS. It is not limited to just the description.*\
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.offsecguy.com/cve/hr-performance-solutions/vulnerability/reflected-xss-employee-notes.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.