CVE-2025-6477 in Student Result Management Systeminfo

Summary

by MITRE • 06/22/2025

A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /script/admin/system of the component System Settings Page. The manipulation of the argument School Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/25/2025

This vulnerability exists within the SourceCodester Student Result Management System version 1.0, specifically affecting the system settings page functionality. The issue manifests in the /script/admin/system file where improper input validation allows malicious users to inject cross-site scripting payloads through the School Name parameter. This represents a classic client-side vulnerability that undermines the application's security posture and user trust. The vulnerability has been publicly disclosed, meaning threat actors can readily exploit this weakness without requiring advanced technical skills or specialized tools.

The technical flaw stems from insufficient sanitization of user-supplied input within the system settings component. When administrators or users interact with the School Name field, the application fails to properly validate or escape the input before rendering it back to the browser. This allows attackers to inject malicious javascript code that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or further exploitation of the victim's privileges. The vulnerability specifically maps to CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output encoding.

The operational impact of this vulnerability extends beyond simple data theft or session manipulation. An attacker could leverage this weakness to escalate privileges within the system, potentially gaining administrative access to the student result management platform. This could result in unauthorized modification of student records, manipulation of academic data, or complete system compromise. The remote exploit capability means that attackers do not need physical access to the network or system, making this vulnerability particularly dangerous in cloud-based or internet-facing deployments. The attack vector aligns with ATT&CK technique T1566.001 which involves phishing with malicious attachments or links, where the XSS payload could be delivered through maliciously crafted school name entries.

Organizations using this system should immediately implement input validation measures to sanitize all user-supplied data before processing or storing it. The fix should include proper HTML escaping of output, implementation of Content Security Policy headers, and regular security audits of input handling mechanisms. Additionally, the system should be updated to the latest available version where this vulnerability has been patched. Network segmentation and monitoring solutions should be deployed to detect suspicious activities related to system settings modifications. Security awareness training for administrators is also recommended to prevent accidental exploitation through social engineering attacks that might leverage this vulnerability. The vulnerability demonstrates the critical importance of implementing defense-in-depth strategies and maintaining up-to-date security measures in web applications to prevent exploitation of known weaknesses.

Responsible

VulDB

Disclosure

06/22/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00280

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!