| タイトル | code-projects Project Management System 1.0 Cross Site Scripting |
|---|
| 説明 | PMS contains a stored cross-site scripting (XSS) vulnerability in its mail and feedback workflow. User-controlled content is written to the backend database and later rendered in HTML without output encoding. As a result, a malicious payload can be stored through the mail compose form or the feedback submission path and will execute when another user opens the corresponding mail view or feedback page. The issue affects both the Faculty and Student mail modules, as well as the feedback display flow.
The root cause is unsafe handling of untrusted input in both storage and presentation. In the mail modules, message content is inserted into the database and later echoed back into the page without escaping. In the feedback workflow, the submitted feedback value is stored in the project record and then rendered directly inside a <textarea> without encoding. During testing, the payload <img src=x onerror=alert(1)> was successfully stored and later executed in the browser, confirming the presence of a reproducible stored XSS condition. |
|---|
| ソース | ⚠️ https://github.com/MyMySSS/CVE123/blob/main/cve4/PMS_CVE_Submission.md |
|---|
| ユーザー | MyMy (UID 96642) |
|---|
| 送信 | 2026年05月27日 11:56 (1 月 ago) |
|---|
| モデレーション | 2026年06月27日 20:29 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 374499 [code-projects Project Management System 1.0 Mail Compose Page /mail.php クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|