| Title | https://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL Version: 1.0 Cross Site Scripting - Reflected XSS |
|---|
| Description | A Reflected Cross-Site Scripting (XSS) vulnerability exists in the
CET AI Predictive Grading System. The 'action' GET parameter in
index.php is passed directly into the HTML output via PHP str_replace()
function on line 557 without any output encoding or sanitization.
An unauthenticated attacker can craft a malicious URL containing
arbitrary JavaScript and deliver it to any victim. When clicked,
the script executes in the victim's browser within the trusted
application context, allowing session hijacking, credential theft,
and unauthorized access. No authentication is required to trigger
this vulnerability.
Vulnerable Code (index.php line 557):
str_replace('_', ' ', $action)
Fixed Code:
htmlspecialchars(str_replace('_', ' ', $action), ENT_QUOTES, 'UTF-8')
During a manual source code review of index.php, the 'action' GET
parameter was identified as being reflected directly into the HTML
output without sanitization. The following test payload was injected
into the URL parameter to confirm the vulnerability:
http://localhost/PersonalAGS/index.php?action=<script>alert('XSS')</script>
Upon loading the crafted URL in a web browser, the injected JavaScript
executed immediately, displaying an alert dialog box confirming the
presence of the reflected XSS vulnerability. The raw payload was also
visible unencoded in the HTML page source, confirming the lack of
output encoding.
proof of concept
Affected URL:
http://localhost/PersonalAGS/index.php
Vulnerable Parameter: action (GET)
Payload 1 — Basic script injection:
?action=<script>alert('XSS')</script>
Payload 2 — Image tag event handler:
?action=<img src=x onerror=alert('XSS')>
Payload 3 — SVG based execution:
?action=<svg onload=alert('XSS')>
Proof of Concept URL:
http://[host]/PersonalAGS/index.php?action=<script>alert(document.cookie)</script>
Steps to Reproduce:
1. Open a web browser
2. Navigate to the application URL
3. Append the payload to the action parameter in the URL
4. The JavaScript executes immediately upon page load
5. No authentication is required to trigger this vulnerability
Impact:
- Session cookie theft and account takeover
- Credential harvesting via fake login forms
- Redirection to malicious external websites
Steps to Reproduce:
1. Navigate to the application URL
2. Append the XSS payload to the action parameter
3. JavaScript executes immediately upon page load
4. No authentication is required
CVE Type: Remote
Auth: Not Required
Interaction: Victim must click the crafted URL
CWE: CWE-79
CVSS: 6.1 (Medium) |
|---|
| Source | ⚠️ https://cwe.mitre.org/data/definitions/79.html |
|---|
| User | Abhay mp (UID 98542) |
|---|
| Submission | 05/26/2026 19:27 (19 days ago) |
|---|
| Moderation | 06/13/2026 07:55 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370818 [SourceCodester CET Automated Grading System with AI Predictive Analytics /index.php cross site scripting] |
|---|
| Points | 20 |
|---|