CVE-2025-29426 in Online Class and Exam Scheduling Systeminfo

Summary

by MITRE • 03/17/2025

Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in /pages/class.php via the id and cys parameters.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/18/2025

The vulnerability identified as CVE-2025-29426 affects the Code-projects Online Class and Exam Scheduling System version 1.0, specifically targeting the /pages/class.php endpoint. This represents a critical security flaw that allows attackers to inject malicious scripts into web applications, potentially compromising user sessions and data integrity. The vulnerability manifests through improper input validation and sanitization of the id and cys parameters, which are directly processed and reflected in the application's output without adequate security measures.

Cross site scripting vulnerabilities in web applications typically arise when user-supplied data is not properly escaped or validated before being rendered in web pages. In this case, the id and cys parameters serve as entry points for malicious actors to inject script code that executes in the context of other users' browsers. The vulnerability aligns with CWE-79 which categorizes cross site scripting as a weakness where applications fail to properly validate or escape user-controllable data before incorporating it into dynamically generated content. This flaw enables attackers to perform various malicious activities including session hijacking, credential theft, and data manipulation.

The operational impact of this vulnerability extends beyond simple script injection, as it can facilitate more sophisticated attacks within the application's environment. Attackers could leverage this weakness to redirect users to malicious websites, steal session cookies, or even modify the application's behavior through DOM-based attacks. The vulnerability affects the entire user base of the scheduling system, potentially compromising sensitive educational data and academic records. According to ATT&CK framework, this represents a technique categorized under T1531 - Account Access Removal and T1059.007 - Command and Scripting Interpreter, where attackers can establish persistent access through injected scripts that maintain their presence across user sessions.

Mitigation strategies for CVE-2025-29426 require immediate implementation of proper input validation and output encoding mechanisms. The system should sanitize all user inputs through parameter validation and employ context-appropriate escaping techniques before rendering any data in web responses. Implementing Content Security Policy headers would add an additional layer of protection by restricting script execution within the application. Regular security audits and automated vulnerability scanning should be conducted to identify similar weaknesses in other application components. The remediation process must include comprehensive testing of all input parameters and validation of output rendering to ensure that no similar vulnerabilities exist in other endpoints of the scheduling system.

Responsible

MITRE

Reservation

03/11/2025

Disclosure

03/17/2025

Moderation

accepted

CPE

ready

EPSS

0.00193

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!