إرسال #674457: SourceCodester Student Grades Management System 1.0 Cross Site Scriptingالمعلومات

عنوان	SourceCodester Student Grades Management System 1.0 Cross Site Scripting
الوصف	#Discoverer: Shuvo Ahmed Sanin (A Researcher From Red Team Bangladesh) ????A Stored XSS vulnerability exists in Sourcecodester Student Grades Management System v1.0 that allows unauthenticated remote attackers to inject crafted input into database queries. Successful exploitation can lead to unauthorized data disclosure, modification, or deletion of the application database, and may allow additional actions depending on the database privileges. ????Affected Component: Sourcecodester Student Grades Management System v.1.0 is vulnerable to Stored Cross Site Scripting (XSS) via Subjects Section. ????Impact Code execution: True ????Software URL: https://www.sourcecodester.com/php/18408/student-grades-management-system-using-html-css-and-javascript-source-code.html ????Steps to Reproduce: Steps to Reproduce: 1.Login as Admin using user: admin & pass: admin123 2.After successful login to dashboard (http://localhost/student-grades-management-system/admin.php?action=delete_user&id=4) then go to Manage Subjects Section 3.Add Subject with required fields or Edit Any Subject Info 4.After coming to Edit Subject Section use this XSS payload <img src="x" onerror="alert(document.cookie);"> instead of Subject Name field. Same way Description fields is also XSS vulnerable. 5.Click on Update Subject 6.Wow! Stored XSS executed ! 7.Logout and Login again you will see the executed XSS pop up again which indicates it’s a stored XSS. ????PoC Video: https://drive.google.com/file/d/1j_jfaCfnsiujcA7aA6RQUg1AL-OVN_fT/view?usp=sharing ????Impact: 1.Session Hijacking: Attackers can steal authentication cookies. 2.Phishing Attacks: Users can be tricked into providing sensitive credentials. 3.Data Theft: Exploited XSS can lead to information disclosure. 4.Content Manipulation: Attackers can modify displayed content or deface the application. ????Mitigation: 1.Sanitize Input: Implement strict input validation and escape special characters. 2.Output Encoding: Encode user input before rendering it in the browser. 3.Implement CSP (Content Security Policy): Restrict execution of inline scripts. ????Reference: https://www.linkedin.com/in/shuvo-ahmed-sanin/
المصدر	⚠️ https://github.com/sanin-s1r3n/CVE-Research/blob/main/CVE-5
المستخدم	redteam_bd (UID 89841)
ارسال	14/10/2025 03:00 AM (8 أشهر منذ)
الاعتدال	27/10/2025 01:22 PM (13 days later)
الحالة	مكرر
إدخال VulDB	330119 [SourceCodester Student Grades Management System 1.0 /admin.php delete_user البرمجة عبر المواقع]
النقاط	0

التالي ▸نظرة عامة ◂ السابق

Might our Artificial Intelligence support you?

Check our Alexa App!