| Title | itsourcecode Fees Management System Fees Management System V1.0 Reflected Cross-Site Scripting (XSS) |
|---|
| Description | A critical Reflected Cross-Site Scripting (XSS) vulnerability exists in the SchoolFees Portal administration panel (version 1.0). The vulnerability stems from the unvalidated page URL parameter in the index.php component (line 72), which is directly reflected in both the PHP include path and client-side JavaScript code without proper sanitization or output encoding.
By crafting a malicious request such as GET /index.php?page=')</script><script>alert(0)</script>(, an attacker can inject arbitrary JavaScript code that executes within the victim’s browser session. The payload ')</script><script>alert(0)</script>( closes the existing JavaScript string and tag context, allowing injection of malicious scripts while bypassing basic syntax checks.
Successful exploitation enables session hijacking (via cookie theft), unauthorized actions on behalf of the victim, sensitive data exfiltration, phishing attacks, and full compromise of user trust. The vulnerability also exposes the application to path traversal risks through the dynamic include($page . '.php') call, though the primary risk is reflected XSS. |
|---|
| Source | ⚠️ https://github.com/Gach0ng/vuldb_submit/issues/5 |
|---|
| User | gachong (UID 98198) |
|---|
| Submission | 05/22/2026 05:35 (19 days ago) |
|---|
| Moderation | 06/04/2026 07:18 (13 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 367594 [itsourcecode Fees Management System 1.0 index.php page cross site scripting] |
|---|
| Points | 0 |
|---|