âť—Reflected XSS - Employee Notes

Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II)

Reflected XSS (authenticated)

Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II) via POST requests to:

/index.php?mode=mNote&job=update

Description

The application is vulnerable to multiple instances of stored (persistent) XSS in the Employee Notes functionality. Malicious input provided by an authenticated user is stored server-side and later rendered into the DOM without proper encoding or sanitization. This allows execution of arbitrary JavaScript in the context of any user viewing the affected pages.

Vulnerable parameters:

  • title – Reflected unsanitized on /index.php (Employee Notes title field).

  • description – Reflected unsanitized on /viewnote.php?id=<id> (generated when printing or viewing a note).

This vulnerability allows attackers to execute malicious scripts, alter the user's interface, and potentially redirect users to malicious sites.

Exploitation

  • Inject malicious javascript into either the title or the description of the employee note

    • Title:

      • Once the note has been saved, the injected title is now exploitable upon viewing the home page and or when printing the employee notes.

    • Description:

      • Once the note has been saved, the injected description is only exploitable when the attacker prints the employee note. That link can then be shared to other authenticated users.

  • Send the crafted URL to a victim via phishing, social engineering, or any other attack vector.

  • When the victim navigates to the modified URL, the application reflects the malicious input directly into the browser without sufficient sanitization.

  • The victim’s browser renders the injected payload in the error message, allowing arbitrary script execution within the victim's browser.

Example 1 - Title XSS

  • Create a new note

  • Inject a malicious XSS payload into the title and save

  • Click on the malicious title on the Employee Notes page

Example 2 - Description XSS

  • Create a new note

  • Inject a malicious XSS payload into the description and save

  • Print the employee note to generate a malicious link

  • Click on the malicious description

  • *It is worth mentioning that on the print page the title is also exploitable and vulnerable to XSS. It is not limited to just the description.

Last updated