إرسال #822848: raisulislamg4 student_management_system_by_php 1.0 Stored Cross-Site Scriptingالمعلومات

عنوانraisulislamg4 student_management_system_by_php 1.0 Stored Cross-Site Scripting
الوصفThe admission form (`admission_form_check.php`) directly inserts the user‑supplied `message` field into the database without sanitisation: ```php $message_data = $_POST['message']; ... VALUES(..., '$message_data', 'Pending') Later, the admin panel (admissions.php) displays all admission records, rendering the MESSAGE column directly inside an HTML <td> without any output encoding: <td><?php echo "{$info['MESSAGE']}"; ?></td> An attacker can submit an admission form containing a malicious JavaScript payload in the message field. When an administrator visits the admissions list, the script executes in their browser, leading to session theft, account takeover, or further malicious actions.
المصدر⚠️ https://github.com/raisulislamg4/student_management_system_by_php/issues/5
المستخدم
 roxci (UID 98086)
ارسال08/05/2026 07:00 AM (29 أيام منذ)
الاعتدال31/05/2026 09:59 AM (23 days later)
الحالةتمت الموافقة
إدخال VulDB367507 [raisulislamg4 student_management_system_by_php حتى 310d950e09013d5133c6b9210aff9444382d16d1 admission_form_check.php رسالة البرمجة عبر المواقع]
النقاط20

التالي نظرة عامة السابق

Do you need the next level of professionalism?

Upgrade your account now!