| Titre | PHPGurukul Online Course Registration v3.1 Cross Site Scripting |
|---|
| Description | A critical stored cross-site scripting (XSS) vulnerability exists in PHP Gurukul Online Course Registration System v3.1 that allows students to upload malicious files which execute JavaScript code when administrators view or edit student profiles.
The vulnerability is located in the student registration photo upload functionality. The application fails to properly validate uploaded file types and does not sanitize file content, allowing malicious SVG or HTML files to be uploaded and stored. When an administrator accesses the student management interface and views or edits a student profile (/admin/edit-student-profile.php), the malicious file is rendered, causing the embedded JavaScript to execute in the administrator's browser context.
An attacker can upload a malicious SVG or HTML file containing JavaScript code. When the file is accessed (e.g., when viewing student profile or student list), the XSS payload executes, potentially stealing session cookies, performing actions on behalf of the victim, or redirecting to phishing pages.
If an administrator views a student profile containing the malicious file, the attacker may hijack the administrator’s session and perform unauthorized actions with administrative privileges.
Although CVE-2020-23828 previously described an unrestricted file upload issue in Online Course Registration v1.0, the vulnerability reported here affects version v3.1 and results in stored cross-site scripting via malicious SVG or HTML uploads, representing a separate issue. |
|---|
| La source | ⚠️ https://github.com/rsecroot/Online-Course-Registration/blob/main/Cross%20Site%20Scripting.md |
|---|
| Utilisateur | hackerfactory (UID 85869) |
|---|
| Soumission | 01/01/2026 13:18 (il y a 4 mois) |
|---|
| Modérer | 01/01/2026 14:22 (1 hour later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 339355 [PHPGurukul Online Course Registration jusqu’à 3.1 Student Registration Page edit-student-profile.php photo élévation de privilèges] |
|---|
| Points | 20 |
|---|