Submit #818540: sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Stored Cross-Site Scriptinginfo

Titlesambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Stored Cross-Site Scripting
DescriptionThe backend dashboards (admin, student, teacher) display detailed information about students and teachers by directly echoing database values without any HTML entity encoding. A typical example from `admin_dashboard.php`: ```php <input type="text" id="btn1" value="<?php echo $row['name']?>" disabled> ``` Because $row['name'] is output as‑is inside an HTML attribute, an attacker who previously inserted a malicious payload (e.g., via Vulnerability #2 – Unauthorised Data Insertion) into the name field can break out of the attribute and inject arbitrary JavaScript. When an administrator or other user views the dashboard, the injected script executes in their browser.
Source⚠️ https://github.com/sambitraj/STUDENT-MANAGEMENT-SYSTEM/issues/3
User
 Yuki-U (UID 97865)
Submission05/03/2026 22:47 (2 months ago)
Moderation05/29/2026 19:06 (26 days later)
StatusAccepted
VulDB entry367290 [sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard Page Name cross site scripting]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!