| タイトル | Fabian Ros Student Information System In PHP With Source Code November 2, 2025 Cross Site Scripting |
|---|
| 説明 | Multiple Cross-Site Scripting (XSS) vulnerabilities in Student Information System (version uploaded on November 2, 2025) allow remote attackers to execute arbitrary JavaScript in the context of a victim's browser via multiple vectors.
Stored XSS: The student profile editing function in /profile.php fails to sanitize the firstname and lastname parameters before storing them in the database. The malicious script executes whenever any user (including administrators) views the affected profile, such as on the /searchresults.php page.
Reflected XSS: The search functionality in /searchresults.php fails to properly encode the searchbox GET parameter. An attacker can craft a malicious URL that executes a script when clicked by a victim, leading to potential session hijacking or unauthorized actions.
Both flaws are caused by a lack of output encoding and input sanitization, potentially allowing attackers to steal session cookies or perform actions on behalf of the victim. |
|---|
| ソース | ⚠️ https://github.com/i4G5d/CRITICAL-SECURITY-VULNERABILITY-REPORT-Stored-XSS |
|---|
| ユーザー | i4g5d (UID 92060) |
|---|
| 送信 | 2025年12月20日 16:56 (4 月 ago) |
|---|
| モデレーション | 2025年12月23日 15:33 (3 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 337858 [code-projects Student Information System 1.0 /profile.php firstname/lastname クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|