CVE-2023-23013 is assigned
Link: https://github.com/Devnawjesh/hr-payroll
Multiple XSS vulnerabilities.
For example,
In file hr-payroll-master\application\controllers\Logistice.php
public function Add_Assets_Category(){
if($this->session->userdata('user_login_access') != False) {
$id = $this->input->post('catid');
$cattype = $this->input->post('cattype');
$catname = $this->input->post('catname');
$this->load->library('form_validation');
$this->form_validation->set_error_delimiters();
$this->form_validation->set_rules('catname', 'Category name', 'trim|required|min_length[1]|max_length[220]|xss_clean');
//...
$data = array(
'cat_name' => $catname,
'cat_status' => $cattype
);
$success = $this->logistic_model->Add_Assets_Category($data);
//...
}
//...
}
We see that cat_name is validated against XSS but cat_status is not validated. Then it will be saved in the DB, in file hr-payroll-master\application\models\Logistic_model.php
public function Add_Assets_Category($data){
$this->db->insert('assets_category',$data);
}
Then in file
public function Assets_Category(){
if($this->session->userdata('user_login_access') != False) {
$data=array();
$data['catvalue'] = $this->project_model->GetAssetsCategory();
$this->load->view('backend/assets_category',$data);
}
//...
}
In file hr-payroll-master\application\models\Project_model.php
public function GetAssetsCategory(){
$sql = "SELECT * FROM `assets_category`";
$query=$this->db->query($sql);
$result = $query->result();
return $result;
}
Finally cat_status is printed in the view 'backend/assets_category'.
<?php foreach($catvalue as $value): ?>
<tr>
<td><?php echo $value->cat_id; ?></td>
<td><?php echo $value->cat_status ?></td>
<td><?php echo $value->cat_name; ?></td>
<td class="jsgrid-align-center ">
<a href="" title="Edit" class="btn btn-sm btn-info waves-effect waves-light AssetsModal" data-id="<?php echo $value->cat_id; ?>"><i class="fa fa-pencil-square-o"></i></a>
</td>
</tr>
<?php endforeach; ?>