| 제목 | hemant6488 CodeIgniter-StudentManagementSystem 1.0 Stored Cross-Site Scripting |
|---|
| 설명 | The `addStudent` method in the `Students` controller does not perform any input filtering or sanitisation before storing user-supplied data in the database. Subsequently, the `view_students.php` view renders the student’s name directly without HTML entity encoding.
This allows an attacker to inject arbitrary JavaScript (e.g., via the `name` parameter) that is persisted in the database and executed whenever any user visits the student listing page. Because the endpoint is accessible without authentication (see the Broken Access Control vulnerability), the attack can be carried out by an anonymous remote user. |
|---|
| 원천 | ⚠️ https://github.com/hemant6488/CodeIgniter-StudentManagementSystem/issues/6 |
|---|
| 사용자 | BingZhe (UID 97643) |
|---|
| 제출 | 2026. 04. 27. PM 05:53 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 25. PM 09:08 (28 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 365538 [hemant6488 CodeIgniter-StudentManagementSystem Students Controller view_students.php addStudent 이름 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|