| Title | SourceCodester Student Grades Management System 1.0 Cross Site Scripting |
|---|
| Description | Vulnerability Summary
A stored Cross-Site Scripting (XSS) vulnerability exists in the Student Grades Management System. The remarks field submitted when creating a grade is stored in the database and later rendered into the page without proper HTML-encoding, allowing an authenticated user to store and cause execution of JavaScript in the context of other users (or the same user on page reload).
Vulnerable parameter: remarks (POST)
Type: Stored (persistent) XSS — authenticated.
Steps to Reproduce:
Steps 1:
Log in to the application with valid credentials ( teacher account).
Steps 2:
Navigate to: Grades → Add New Grade (page grades.php).
Steps 3:
Fill required fields (Student, Subject, Classroom, Grade Type, Grade).
In Remarks, enter a JavaScript payload, (<script>alert(1)</script>)
Steps 4:
After submission, view the Recent Grades table or reload grades.php.
The alert box appears,
Root cause:
The root cause is that user-supplied remarks are stored in the database and later rendered into the HTML page without proper output encoding or sanitization, so even though the INSERT uses PDO prepared statements (which prevents SQL injection), the application echoes the raw remarks back to the page allowing stored JavaScript to execute in users' browsers (stored XSS).
Impact:
This vulnerability allows an attacker to inject and store malicious JavaScript code in the database (stored XSS). When other users or administrators view the affected page, the injected script executes in their browser with the same privileges as the legitimate user. This can lead to session hijacking, credential theft, defacement of the application, unauthorized actions on behalf of users, and potential spread of malware through the application interface.
Mitigation:
Output Encoding: Always sanitize and encode dynamic output before rendering it in HTML pages using functions like htmlspecialchars($data, ENT_QUOTES, 'UTF-8') in PHP.
Input Validation: Validate and restrict input fields (like remarks) to expected formats (e.g., only allow alphanumeric and basic punctuation). Sanitize user inputs before storing them in the database |
|---|
| Source | ⚠️ https://medium.com/@ankitkaushal43731/title-student-grades-management-system-stored-xss-authenticated-in-grades-php-remarks-field-d9625243df06 |
|---|
| User | ankitkumar7 (UID 92491) |
|---|
| Submission | 11/10/2025 12:02 (5 months ago) |
|---|
| Moderation | 11/18/2025 10:01 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 332766 [SourceCodester Student Grades Management System 1.0 Add New Grade Page /grades.php Remarks cross site scripting] |
|---|
| Points | 20 |
|---|