CVE-2025-6473 in School Fees Payment Systeminfo

Summary

by MITRE • 06/22/2025

A vulnerability, which was classified as problematic, was found in code-projects School Fees Payment System 1.0. This affects an unknown part of the file /fees.php. The manipulation of the argument transcation_remark leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/25/2025

This vulnerability resides within the code-projects School Fees Payment System version 1.0, specifically in the /fees.php file where improper input validation allows for cross-site scripting attacks through the transcation_remark parameter. The flaw represents a classic client-side injection vulnerability that enables attackers to execute malicious scripts in the context of other users' browsers. The vulnerability is classified as remotely exploitable, meaning that malicious actors can initiate attacks without requiring physical access to the target system or direct user interaction beyond visiting a maliciously crafted URL.

The technical nature of this vulnerability aligns with CWE-79, which describes cross-site scripting flaws where untrusted data is incorporated into web pages without proper validation or encoding. The transcation_remark parameter serves as the attack vector where user-supplied input is directly reflected in the application's output without adequate sanitization. This allows attackers to inject malicious JavaScript code that gets executed when other users view the affected page, potentially leading to session hijacking, credential theft, or redirection to malicious sites.

The operational impact of this vulnerability extends beyond simple data theft, as it can enable attackers to manipulate the application's behavior and compromise user sessions. Since the exploit is publicly disclosed and readily available, the risk of exploitation is elevated, making this vulnerability particularly dangerous for educational institutions that rely on the system for financial transactions. The attack surface includes any user who accesses the fees.php page, potentially affecting students, parents, and administrative staff who might inadvertently trigger the malicious script execution.

Mitigation strategies should focus on implementing proper input validation and output encoding mechanisms within the application's codebase. The system should sanitize all user inputs, particularly those that are reflected in web pages, through the use of appropriate encoding functions such as HTML entity encoding or JavaScript escaping. Additionally, implementing a Content Security Policy (CSP) would provide an additional layer of protection against unauthorized script execution. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities in other parts of the application, while also ensuring that the application follows secure coding practices as outlined in OWASP Top Ten and NIST guidelines for web application security. The vulnerability demonstrates the critical importance of input validation in preventing client-side attacks and highlights the need for comprehensive security measures throughout the entire application development lifecycle.

Responsible

VulDB

Disclosure

06/22/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00327

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!