| 标题 | tittuvarghese CollegeManagementSystem 1.0 Reflected Cross‑Site Scripting |
|---|
| 描述 | The `fetch.php` endpoint, when handling the `fetch_subject_data` action, directly echoes the user‑supplied `department_name` POST parameter into an HTML `<td>` element without any sanitisation or output encoding:
```php
<td><?php echo $department_name.' ('.$department.')'; ?></td>
```
Because the value is reflected directly from the request body, an attacker can craft a POST request containing a malicious script in the department_name field. When the server returns this HTML snippet (typically consumed by an AJAX callback and injected into the DOM with innerHTML or jQuery’s html()), the script executes in the victim’s browser, leading to session theft, CSRF attacks, or other client‑side compromises.
Steps to Reproduce
Identify a page that sends an AJAX POST to fetch.php with action=fetch_subject_data and renders the response into the DOM.
Inject a malicious department_name value, such as <script>alert(1)</script>.
Observe that the returned HTML contains the unescaped script tag.
If the response is inserted into the page, the JavaScript executes. |
|---|
| 来源 | ⚠️ https://github.com/tittuvarghese/CollegeManagementSystem/issues/6 |
|---|
| 用户 | Lucky ya-ya (UID 98310) |
|---|
| 提交 | 2026-05-18 18時09分 (19 日前) |
|---|
| 管理 | 2026-06-05 10時10分 (18 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 368875 [tittuvarghese CollegeManagementSystem fetch.php department_name 跨网站脚本] |
|---|
| 积分 | 20 |
|---|