Executive Summary

CVE-2026-11491 is a Stored Cross-Site Scripting (XSS) vulnerability in CodeAstro Human Resource Management System version 1.0. It occurs in the Notice Management feature, where authenticated employee users can create notice board entries without proper input sanitization.

An attacker can inject malicious JavaScript code into the Notice Title field. This malicious script is then stored by the application and executed whenever the notice is viewed by other users, including administrators.

Exploitation requires the attacker to log in with a valid employee account, add a notice with the XSS payload in the Notice Title, and submit it. The payload executes on user dashboards, potentially affecting all users.

The application does not provide a user interface to delete notices, so malicious notices remain until manually removed from the backend or database.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw that allows execution of arbitrary JavaScript in the browsers of users with higher privileges, including administrators. This can lead to phishing, session theft, and unauthorized actions, which may result in unauthorized access to sensitive information.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.

Furthermore, the lack of a notice deletion feature means malicious scripts can persist, increasing the risk and complexity of remediation, which may further complicate compliance efforts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of users who view the malicious notice.

• Phishing attacks by displaying fake login prompts or misleading information.
• Session theft by stealing cookies or session tokens.
• Unauthorized actions performed on behalf of the victim user.
• Other client-side attacks that rely on executing malicious scripts.

Because the malicious notice cannot be deleted through the user interface, the attack can persist and affect users over an extended period, increasing the risk and complexity of mitigation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to inject a known XSS payload into the Notice Title field of the Notice Management feature while authenticated as an employee user. Specifically, submitting a POST request with a payload such as <svg onload="alert('Stored XSS Triggered by Ashik Mohamed')"> in the Notice Title field and observing if the script executes when the notice is rendered indicates the presence of the vulnerability.

To detect this on your system, you can use tools like curl or Burp Suite to send crafted POST requests to the /notice/All_notice endpoint with the malicious payload in the Notice Title parameter.

• Example curl command to test the vulnerability (replace URL and authentication details accordingly):
• curl -X POST -d "NoticeTitle=<svg onload=alert('XSS')>&attachment=file&publication_date=2026-06-08" -b cookies.txt https://target-system/notice/All_notice

After submitting the payload, check if the alert or injected script executes when viewing the notice board as an authenticated user.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs, especially the Notice Title field, to prevent the injection of malicious scripts.

Since the application lacks a notice deletion feature in the user interface, any malicious notices already stored must be manually removed from the backend or database to prevent persistent exploitation.

Additionally, restrict the privileges of users who can add notices to minimize the risk of exploitation.

Applying patches or updates from the vendor, if available, is recommended once released.

Useful 0 Not Useful 0