| 제목 | tittuvarghese CollegeManagementSystem 1.0 Reflected Cross‑Site Scripting |
|---|
| 설명 | The `fetch.php` endpoint, when handling the `fetch_subject_data` action, directly echoes the user‑supplied `department_name` POST parameter into an HTML `<td>` element without any sanitisation or output encoding:
```php
<td><?php echo $department_name.' ('.$department.')'; ?></td>
```
Because the value is reflected directly from the request body, an attacker can craft a POST request containing a malicious script in the department_name field. When the server returns this HTML snippet (typically consumed by an AJAX callback and injected into the DOM with innerHTML or jQuery’s html()), the script executes in the victim’s browser, leading to session theft, CSRF attacks, or other client‑side compromises.
Steps to Reproduce
Identify a page that sends an AJAX POST to fetch.php with action=fetch_subject_data and renders the response into the DOM.
Inject a malicious department_name value, such as <script>alert(1)</script>.
Observe that the returned HTML contains the unescaped script tag.
If the response is inserted into the page, the JavaScript executes. |
|---|
| 원천 | ⚠️ https://github.com/tittuvarghese/CollegeManagementSystem/issues/6 |
|---|
| 사용자 | Lucky ya-ya (UID 98310) |
|---|
| 제출 | 2026. 05. 18. PM 06:09 (20 날 ago) |
|---|
| 모더레이션 | 2026. 06. 05. AM 10:10 (18 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 368875 [tittuvarghese CollegeManagementSystem fetch.php department_name 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|