| Название | hemant6488 CodeIgniter-StudentManagementSystem 1.0 Stored Cross-Site Scripting |
|---|
| Описание | The `addStudent` method in the `Students` controller does not perform any input filtering or sanitisation before storing user-supplied data in the database. Subsequently, the `view_students.php` view renders the student’s name directly without HTML entity encoding.
This allows an attacker to inject arbitrary JavaScript (e.g., via the `name` parameter) that is persisted in the database and executed whenever any user visits the student listing page. Because the endpoint is accessible without authentication (see the Broken Access Control vulnerability), the attack can be carried out by an anonymous remote user. |
|---|
| Источник | ⚠️ https://github.com/hemant6488/CodeIgniter-StudentManagementSystem/issues/6 |
|---|
| Пользователь | BingZhe (UID 97643) |
|---|
| Представление | 27.04.2026 17:53 (1 месяц назад) |
|---|
| Модерация | 25.05.2026 21:08 (28 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 365538 [hemant6488 CodeIgniter-StudentManagementSystem Students Controller view_students.php addStudent Имя межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|