Submit #822848: raisulislamg4 student_management_system_by_php 1.0 Stored Cross-Site Scriptinginfo

Titleraisulislamg4 student_management_system_by_php 1.0 Stored Cross-Site Scripting
DescriptionThe admission form (`admission_form_check.php`) directly inserts the user‑supplied `message` field into the database without sanitisation: ```php $message_data = $_POST['message']; ... VALUES(..., '$message_data', 'Pending') Later, the admin panel (admissions.php) displays all admission records, rendering the MESSAGE column directly inside an HTML <td> without any output encoding: <td><?php echo "{$info['MESSAGE']}"; ?></td> An attacker can submit an admission form containing a malicious JavaScript payload in the message field. When an administrator visits the admissions list, the script executes in their browser, leading to session theft, account takeover, or further malicious actions.
Source⚠️ https://github.com/raisulislamg4/student_management_system_by_php/issues/5
User
 roxci (UID 98086)
Submission05/08/2026 07:00 (2 months ago)
Moderation05/31/2026 09:59 (23 days later)
StatusAccepted
VulDB entry367507 [raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1 admission_form_check.php Message cross site scripting]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!