提出 #674457: SourceCodester Student Grades Management System 1.0 Cross Site Scripting情報

タイトル	SourceCodester Student Grades Management System 1.0 Cross Site Scripting
説明	#Discoverer: Shuvo Ahmed Sanin (A Researcher From Red Team Bangladesh) ????A Stored XSS vulnerability exists in Sourcecodester Student Grades Management System v1.0 that allows unauthenticated remote attackers to inject crafted input into database queries. Successful exploitation can lead to unauthorized data disclosure, modification, or deletion of the application database, and may allow additional actions depending on the database privileges. ????Affected Component: Sourcecodester Student Grades Management System v.1.0 is vulnerable to Stored Cross Site Scripting (XSS) via Subjects Section. ????Impact Code execution: True ????Software URL: https://www.sourcecodester.com/php/18408/student-grades-management-system-using-html-css-and-javascript-source-code.html ????Steps to Reproduce: Steps to Reproduce: 1.Login as Admin using user: admin & pass: admin123 2.After successful login to dashboard (http://localhost/student-grades-management-system/admin.php?action=delete_user&id=4) then go to Manage Subjects Section 3.Add Subject with required fields or Edit Any Subject Info 4.After coming to Edit Subject Section use this XSS payload <img src="x" onerror="alert(document.cookie);"> instead of Subject Name field. Same way Description fields is also XSS vulnerable. 5.Click on Update Subject 6.Wow! Stored XSS executed ! 7.Logout and Login again you will see the executed XSS pop up again which indicates it’s a stored XSS. ????PoC Video: https://drive.google.com/file/d/1j_jfaCfnsiujcA7aA6RQUg1AL-OVN_fT/view?usp=sharing ????Impact: 1.Session Hijacking: Attackers can steal authentication cookies. 2.Phishing Attacks: Users can be tricked into providing sensitive credentials. 3.Data Theft: Exploited XSS can lead to information disclosure. 4.Content Manipulation: Attackers can modify displayed content or deface the application. ????Mitigation: 1.Sanitize Input: Implement strict input validation and escape special characters. 2.Output Encoding: Encode user input before rendering it in the browser. 3.Implement CSP (Content Security Policy): Restrict execution of inline scripts. ????Reference: https://www.linkedin.com/in/shuvo-ahmed-sanin/
ソース	⚠️ https://github.com/sanin-s1r3n/CVE-Research/blob/main/CVE-5
ユーザー	redteam_bd (UID 89841)
送信	2025年10月14日 03:00 (8 月 ago)
モデレーション	2025年10月27日 13:22 (13 days later)
ステータス	重複
VulDBエントリ	330119 [SourceCodester Student Grades Management System 1.0 /admin.php delete_user クロスサイトスクリプティング]
ポイント	0

◂ 前概要次 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!