| Title | Cyber-III Student-Management-System 1.0 XSS vulnerability |
|---|
| Description | The class schedule deletion endpoint /admin/class schedule/delete_batch.php lacks proper administrator permission checks (unauthorized access vulnerability). Additionally, the batch parameter from the POST request is directly concatenated into the HTML response without any HTML escaping (e.g., htmlspecialchars), leading to a reflected Cross‑Site Scripting (XSS) vulnerability. |
|---|
| Source | ⚠️ https://github.com/Cyber-III/Student-Management-System/issues/242 |
|---|
| User | zsmaaa (UID 93294) |
|---|
| Submission | 03/23/2026 08:21 (20 days ago) |
|---|
| Moderation | 04/06/2026 10:14 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355493 [Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f Class Schedule Deletion Endpoint delete_batch.php batch cross site scripting] |
|---|
| Points | 20 |
|---|