Отправить #836639: imvks786 student_management_system 1.0 Stored Cross‑Site ScriptingИнформация

Названиеimvks786 student_management_system 1.0 Stored Cross‑Site Scripting
ОписаниеThe `add.php` script inserts a new student record by directly concatenating `$_POST` fields (such as `name`, `address`, `fname`, etc.) into an SQL query without any sanitisation: ```php $name = $_POST['name']; ... $sql = "INSERT INTO student (name,fname,...) values('$name','$fname',...)"; ``` Later, multiple pages display student data by echoing the raw database values directly into HTML without using htmlspecialchars() or any other output encoding: echo "<td>".$row["name"]."</td>"; echo "<td>".$row["address"]."</td>"; An attacker can submit a student entry containing a malicious payload (e.g., <svg/onload=alert(1337)>) in fields like name or address. When any user (admin, teacher, student) views the student list or profile, the injected script executes in their browser, leading to session theft, cookie hijacking, and further compromise.
Источник⚠️ https://github.com/imvks786/student_management_system/issues/5
Пользователь
 Marry_2026 (UID 98397)
Представление25.05.2026 06:49 (17 дни назад)
Модерация07.06.2026 21:53 (14 days later)
Статуспринято
Запись VulDB369151 [imvks786 student_management_system до 9599b560ad3c3b83e75d328b76bedcd489ef1f46 /add.php name/address/fname межсайтовый скриптинг]
Баллы20

ПредыдущийОбзорДалее

Do you want to use VulDB in your project?

Use the official API to access entries easily!