Discussions

Hey.

A customer asked me to use the code provided on this Documentation Page (https://developer.personio.de/docs/integration-of-open-positions) to set up their job positions.

I noticed that this example code has a Cross Site Scripting Vulnerability. You really should fix this code because some people will just copy and paste it for production usage.

Proof of Concept (PoC):
In the case that this code example is implemented on a page such as https://target.tld/jobs/index.php, a malicious link could exploit the vulnerability, resulting in a potential Cross-Site Scripting attack: "https://target.tld/jobs/index.php?channel=">". The Problem is that $_GET["channel"] parameter is not properly encoded in the output, which leads to the interpretation of JavaScript by the user's browser

Note: It is important to note that XSS can pose significant threats when exploited by attackers, allowing them to potentially steal cookies used on the target website and carry out account takeovers.