| शीर्षक | raisulislamg4 student_management_system_by_php 1.0 Stored Cross-Site Scripting |
|---|
| विवरण | The admission form (`admission_form_check.php`) directly inserts the user‑supplied `message` field into the database without sanitisation:
```php
$message_data = $_POST['message'];
...
VALUES(..., '$message_data', 'Pending')
Later, the admin panel (admissions.php) displays all admission records, rendering the MESSAGE column directly inside an HTML <td> without any output encoding:
<td><?php echo "{$info['MESSAGE']}"; ?></td>
An attacker can submit an admission form containing a malicious JavaScript payload in the message field. When an administrator visits the admissions list, the script executes in their browser, leading to session theft, account takeover, or further malicious actions. |
|---|
| स्रोत | ⚠️ https://github.com/raisulislamg4/student_management_system_by_php/issues/5 |
|---|
| उपयोगकर्ता | roxci (UID 98086) |
|---|
| सबमिशन | 08/05/2026 07:00 AM (1 महीना पहले) |
|---|
| संयम | 31/05/2026 09:59 AM (23 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 367507 [raisulislamg4 student_management_system_by_php तक 310d950e09013d5133c6b9210aff9444382d16d1 admission_form_check.php संदेश क्रॉस साइट स्क्रिप्टिंग] |
|---|
| अंक | 20 |
|---|