| Titel | Fabian Ros Student Information System In PHP With Source Code November 2, 2025 Cross Site Scripting |
|---|
| Beschreibung | Multiple Cross-Site Scripting (XSS) vulnerabilities in Student Information System (version uploaded on November 2, 2025) allow remote attackers to execute arbitrary JavaScript in the context of a victim's browser via multiple vectors.
Stored XSS: The student profile editing function in /profile.php fails to sanitize the firstname and lastname parameters before storing them in the database. The malicious script executes whenever any user (including administrators) views the affected profile, such as on the /searchresults.php page.
Reflected XSS: The search functionality in /searchresults.php fails to properly encode the searchbox GET parameter. An attacker can craft a malicious URL that executes a script when clicked by a victim, leading to potential session hijacking or unauthorized actions.
Both flaws are caused by a lack of output encoding and input sanitization, potentially allowing attackers to steal session cookies or perform actions on behalf of the victim. |
|---|
| Quelle | ⚠️ https://github.com/i4G5d/CRITICAL-SECURITY-VULNERABILITY-REPORT-Stored-XSS |
|---|
| Benutzer | i4g5d (UID 92060) |
|---|
| Einreichung | 20.12.2025 16:56 (vor 4 Monaten) |
|---|
| Moderieren | 23.12.2025 15:33 (3 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 337858 [code-projects Student Information System 1.0 /profile.php firstname/lastname Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|