| Title | CampCodes School Management Software 1.0 Account Takeover Possibility via Stored Cross Site Scripting |
|---|
| Description | Vendor and Product Information:
Vendor: CampCodes
Product: School Management Software
Product URL: https://www.campcodes.com/downloads/school-management-software-in-php-mysql-full-source-code/
Vulnerability Name: Account Takeover Possibility via Stored Cross Site Scripting
Description:
The application’s calendar module “/academic calendar” is vulnerable to cross site scripting. Teachers can view the calendar module and add an event to the calendar. The same event can then be seen in another teacher’s calendar. Since the calendar module is vulnerable to XSS, one teacher can exploit this vulnerability and potentially steal another teacher’s session cookie to perform account takeover.
Payload:
<img src=x onerror=alert(document.cookie)> |
|---|
| Source | ⚠️ https://github.com/KhukuriRimal/Vulnerabilities/blob/main/Stored%20Cross%20Site%20Scripting-%20Teachers%20Account%20Takeover%20Possibility.pdf |
|---|
| User | khukuririmal (UID 80171) |
|---|
| Submission | 02/02/2025 12:27 (1 Year ago) |
|---|
| Moderation | 02/10/2025 09:02 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 295063 [CampCodes School Management Software 1.0 /academic-calendar cross site scripting] |
|---|
| Points | 20 |
|---|