제출 #674456: Sourcecodester Student Grades Management System 1.0 Cross Site Scripting정보

제목	Sourcecodester Student Grades Management System 1.0 Cross Site Scripting
설명	#Discoverer: Shuvo Ahmed Sanin (A Researcher From Red Team Bangladesh) ????A Stored XSS vulnerability exists in Sourcecodester Student Grades Management System v1.0 that allows unauthenticated remote attackers to inject crafted input into database queries. Successful exploitation can lead to unauthorized data disclosure, modification, or deletion of the application database, and may allow additional actions depending on the database privileges. ????Affected Component: Sourcecodester Student Grades Management System v.1.0 is vulnerable to Stored Cross Site Scripting (XSS) via Manage Users Section. ????Impact Code execution: True ????Steps to Reproduce: Steps to Reproduce: 1.Login as Admin using user: admin & pass: admin123 2.After successful login to dashboard (http://localhost/student-grades-management-system/admin.php?action=delete_user&id=4) then go to Manage Users Section 3.Add New User with required fields or Edit Any User Info 4.After coming to Edit Section use this XSS payload <img src="x" onerror="alert(document.cookie);"> instead of Username field. Same way First Name, Last Name fields are also XSS vulnerable. 5.Click on Update User 6.Wow! Stored XSS executed ! 7.Logout and Login again you will see the executed XSS pop up again which indicates it’s a stored XSS. ????PoC Video: https://drive.google.com/file/d/1CsswaikqiIJznjlb7xxHcWDOlnJRFqUg/view?usp=sharing ????Impact: 1.Session Hijacking: Attackers can steal authentication cookies. 2.Phishing Attacks: Users can be tricked into providing sensitive credentials. 3.Data Theft: Exploited XSS can lead to information disclosure. 4.Content Manipulation: Attackers can modify displayed content or deface the application. ????Mitigation: 1.Sanitize Input: Implement strict input validation and escape special characters. 2.Output Encoding: Encode user input before rendering it in the browser. 3.Implement CSP (Content Security Policy): Restrict execution of inline scripts. ????Reference: https://www.linkedin.com/in/shuvo-ahmed-sanin/
원천	⚠️ https://github.com/sanin-s1r3n/CVE-Research/blob/main/CVE-4
사용자	redteam_bd (UID 89841)
제출	2025. 10. 14. AM 02:54 (8 개월 ago)
모더레이션	2025. 10. 27. PM 01:22 (13 days later)
상태	수락
VulDB 항목	330119 [SourceCodester Student Grades Management System 1.0 /admin.php delete_user 크로스 사이트 스크립팅]
포인트들	20

◂ 이전 개요 다음 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!