| Title | Craig A Rodway classroombookings 2.16.4 Stored Cross-Site Scripting (XSS) |
|---|
| Description | A stored cross-site scripting (XSS) vulnerability in Classroom Bookings v2.16.4 allows authenticated users with the Teacher role to inject arbitrary JavaScript via the Display Name field in the profile settings. The malicious payload is stored and executed when the affected data is rendered, leading to execution of attacker-controlled scripts in other users’ browsers. |
|---|
| Source | ⚠️ https://github.com/sudo-secure/security-research/blob/main/classroombookings/stored-xss/PoC.md |
|---|
| User | sudosme (UID 96548) |
|---|
| Submission | 03/23/2026 13:54 (25 days ago) |
|---|
| Moderation | 04/17/2026 08:58 (25 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 358027 [classroombookings up to 2.17.0 User Display Name layout.php read displayname cross site scripting] |
|---|
| Points | 18 |
|---|