关键信息 漏洞概述 CVE编号: CVE-2025-57117 漏洞类型: Clickjacking 受影响系统: Sourcecodester Employee Management System V1.0 描述 A Clickjacking vulnerability exists in Rems' Employee Management System 1.0. This flaw allows remote attackers to execute arbitrary JavaScript on the department.php page by injecting a malicious payload into the "Department Name" field under "Add Department." 复现步骤 (PoC) 1. Navigate to and open Add Department. 2. Inject a malicious payload into the Department Name field (e.g., a stored XSS payload). 3. Submit the form. A View More button/area is displayed that contains the stored value. 4. If a victim clicks the crafted View More button/area on the vulnerable page, the injected JavaScript executes and can steal the session ID. 影响 Clickjacking allows attackers to trick users into unintended actions, which can lead to execution of malicious JavaScript, account compromise, or data theft. 缓解措施 Implement X-Frame-Options or Content-Security-Policy (frame-ancestors) headers to prevent the site from being embedded in malicious frames. 发现者 Discovered by JASEEL P, September 2025. 参考链接 CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-57117 NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-57117