| タイトル | tittuvarghese CollegeManagementSystem 1.0 Reflected Cross‑Site Scripting |
|---|
| 説明 | The `fetch.php` endpoint, when handling the `fetch_subject_data` action, directly echoes the user‑supplied `department_name` POST parameter into an HTML `<td>` element without any sanitisation or output encoding:
```php
<td><?php echo $department_name.' ('.$department.')'; ?></td>
```
Because the value is reflected directly from the request body, an attacker can craft a POST request containing a malicious script in the department_name field. When the server returns this HTML snippet (typically consumed by an AJAX callback and injected into the DOM with innerHTML or jQuery’s html()), the script executes in the victim’s browser, leading to session theft, CSRF attacks, or other client‑side compromises.
Steps to Reproduce
Identify a page that sends an AJAX POST to fetch.php with action=fetch_subject_data and renders the response into the DOM.
Inject a malicious department_name value, such as <script>alert(1)</script>.
Observe that the returned HTML contains the unescaped script tag.
If the response is inserted into the page, the JavaScript executes. |
|---|
| ソース | ⚠️ https://github.com/tittuvarghese/CollegeManagementSystem/issues/6 |
|---|
| ユーザー | Lucky ya-ya (UID 98310) |
|---|
| 送信 | 2026年05月18日 18:09 (23 日 ago) |
|---|
| モデレーション | 2026年06月05日 10:10 (18 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 368875 [tittuvarghese CollegeManagementSystem fetch.php department_name クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|