إرسال #674456: Sourcecodester Student Grades Management System 1.0 Cross Site Scriptingالمعلومات

عنوان	Sourcecodester Student Grades Management System 1.0 Cross Site Scripting
الوصف	#Discoverer: Shuvo Ahmed Sanin (A Researcher From Red Team Bangladesh) ????A Stored XSS vulnerability exists in Sourcecodester Student Grades Management System v1.0 that allows unauthenticated remote attackers to inject crafted input into database queries. Successful exploitation can lead to unauthorized data disclosure, modification, or deletion of the application database, and may allow additional actions depending on the database privileges. ????Affected Component: Sourcecodester Student Grades Management System v.1.0 is vulnerable to Stored Cross Site Scripting (XSS) via Manage Users Section. ????Impact Code execution: True ????Steps to Reproduce: Steps to Reproduce: 1.Login as Admin using user: admin & pass: admin123 2.After successful login to dashboard (http://localhost/student-grades-management-system/admin.php?action=delete_user&id=4) then go to Manage Users Section 3.Add New User with required fields or Edit Any User Info 4.After coming to Edit Section use this XSS payload <img src="x" onerror="alert(document.cookie);"> instead of Username field. Same way First Name, Last Name fields are also XSS vulnerable. 5.Click on Update User 6.Wow! Stored XSS executed ! 7.Logout and Login again you will see the executed XSS pop up again which indicates it’s a stored XSS. ????PoC Video: https://drive.google.com/file/d/1CsswaikqiIJznjlb7xxHcWDOlnJRFqUg/view?usp=sharing ????Impact: 1.Session Hijacking: Attackers can steal authentication cookies. 2.Phishing Attacks: Users can be tricked into providing sensitive credentials. 3.Data Theft: Exploited XSS can lead to information disclosure. 4.Content Manipulation: Attackers can modify displayed content or deface the application. ????Mitigation: 1.Sanitize Input: Implement strict input validation and escape special characters. 2.Output Encoding: Encode user input before rendering it in the browser. 3.Implement CSP (Content Security Policy): Restrict execution of inline scripts. ????Reference: https://www.linkedin.com/in/shuvo-ahmed-sanin/
المصدر	⚠️ https://github.com/sanin-s1r3n/CVE-Research/blob/main/CVE-4
المستخدم	redteam_bd (UID 89841)
ارسال	14/10/2025 02:54 AM (8 أشهر منذ)
الاعتدال	27/10/2025 01:22 PM (13 days later)
الحالة	تمت الموافقة
إدخال VulDB	330119 [SourceCodester Student Grades Management System 1.0 /admin.php delete_user البرمجة عبر المواقع]
النقاط	20

التالي ▸نظرة عامة ◂ السابق

Do you want to use VulDB in your project?

Use the official API to access entries easily!