| 제목 | sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Stored Cross-Site Scripting |
|---|
| 설명 | The backend dashboards (admin, student, teacher) display detailed information about students and teachers by directly echoing database values without any HTML entity encoding. A typical example from `admin_dashboard.php`:
```php
<input type="text" id="btn1" value="<?php echo $row['name']?>" disabled>
```
Because $row['name'] is output as‑is inside an HTML attribute, an attacker who previously inserted a malicious payload (e.g., via Vulnerability #2 – Unauthorised Data Insertion) into the name field can break out of the attribute and inject arbitrary JavaScript. When an administrator or other user views the dashboard, the injected script executes in their browser. |
|---|
| 원천 | ⚠️ https://github.com/sambitraj/STUDENT-MANAGEMENT-SYSTEM/issues/3 |
|---|
| 사용자 | Yuki-U (UID 97865) |
|---|
| 제출 | 2026. 05. 03. PM 10:47 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 29. PM 07:06 (26 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 367290 [sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard Page 이름 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|