| tiêu đề | tittuvarghese CollegeManagementSystem 1.0 Reflected Cross‑Site Scripting |
|---|
| Mô tả | The `fetch.php` endpoint, when handling the `fetch_subject_data` action, directly echoes the user‑supplied `department_name` POST parameter into an HTML `<td>` element without any sanitisation or output encoding:
```php
<td><?php echo $department_name.' ('.$department.')'; ?></td>
```
Because the value is reflected directly from the request body, an attacker can craft a POST request containing a malicious script in the department_name field. When the server returns this HTML snippet (typically consumed by an AJAX callback and injected into the DOM with innerHTML or jQuery’s html()), the script executes in the victim’s browser, leading to session theft, CSRF attacks, or other client‑side compromises.
Steps to Reproduce
Identify a page that sends an AJAX POST to fetch.php with action=fetch_subject_data and renders the response into the DOM.
Inject a malicious department_name value, such as <script>alert(1)</script>.
Observe that the returned HTML contains the unescaped script tag.
If the response is inserted into the page, the JavaScript executes. |
|---|
| Nguồn | ⚠️ https://github.com/tittuvarghese/CollegeManagementSystem/issues/6 |
|---|
| Người dùng | Lucky ya-ya (UID 98310) |
|---|
| Đệ trình | 18/05/2026 18:09 (cách đây 23 ngày) |
|---|
| Kiểm duyệt | 05/06/2026 10:10 (18 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 368875 [tittuvarghese CollegeManagementSystem fetch.php department_name Tập lệnh chéo trang] |
|---|
| điểm | 20 |
|---|