CVE-2025-29429 in Online Class and Exam Scheduling System
Summary
by MITRE • 03/17/2025
Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in /pages/program.php via the id, code, and name parameters.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/23/2025
The vulnerability identified as CVE-2025-29429 affects the Code-projects Online Class and Exam Scheduling System version 1.0, specifically targeting the /pages/program.php endpoint. This represents a critical security flaw that allows attackers to inject malicious scripts into web applications through improperly sanitized input parameters. The vulnerability manifests when user-supplied data is directly incorporated into web page responses without adequate validation or encoding, creating an environment where malicious actors can execute unauthorized code within the context of other users' browsers. The affected parameters include id, code, and name, which are all susceptible to cross site scripting attacks that can compromise user sessions and potentially lead to full system compromise.
This vulnerability falls under the Common Weakness Enumeration category CWE-79, which specifically addresses Cross Site Scripting flaws in web applications. The weakness occurs when applications fail to properly sanitize user input before incorporating it into dynamic web content, allowing malicious scripts to be executed in the victim's browser. The ATT&CK framework categorizes this as a web application vulnerability that can be exploited through various attack vectors including malicious payload injection, session hijacking, and data exfiltration techniques. The specific nature of the vulnerability suggests that the application does not implement proper input validation or output encoding mechanisms for the identified parameters, making it susceptible to persistent XSS attacks that can persist across multiple user sessions.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, steal sensitive user credentials, manipulate data within the application, and potentially gain unauthorized access to administrative functions. Users interacting with the program.php page could unknowingly execute malicious scripts that redirect them to phishing sites, steal cookies and session tokens, or modify application data. The persistence of these attacks through the id, code, and name parameters indicates that the vulnerability affects multiple data entry points within the application, increasing the attack surface and potential damage. Additionally, the vulnerability could enable attackers to create backdoors or establish persistent access to the system, particularly if the application has administrative features that are accessible through the same vulnerable code paths.
Mitigation strategies for this vulnerability should include immediate implementation of proper input validation and output encoding mechanisms across all user-supplied parameters. The application must sanitize all inputs through proper encoding techniques such as HTML entity encoding before rendering any user data in web pages. Implementing Content Security Policy headers can provide additional protection against script execution, while regular security audits and penetration testing should be conducted to identify similar vulnerabilities throughout the application. The system should also implement proper parameter validation using allowlists of acceptable characters and lengths, and employ secure coding practices that prevent direct inclusion of user input in dynamic content generation. Regular updates and patches should be applied to address this vulnerability immediately, while the development team should conduct comprehensive security training to prevent similar issues in future releases. Organizations should also implement monitoring solutions to detect suspicious activities related to the vulnerable parameters and establish incident response procedures to quickly address any exploitation attempts.