Online Class and Exam Scheduling System in PHP has Stored Cross Site Scripting vulnerability in profile.php

CVE-2025-1955

supplier

https://code-projects.org/online-class-and-exam-scheduling-system-in-php-with-source-code/

Vulnerability file

/Scheduling/scheduling/pages/profile.php

describe

In /Scheduling/scheduling/pages/profile.php There are unrestricted stored cross site scripting attacks and injection attacks in the Online Class and Exam Scheduling System. The controllable parameters are as follows: username. This function will execute the user parameter without restriction into the echo statement. Malicious attackers can exploit this vulnerability to obtain sensitive information from clients

Code analysis

屏幕截图 2025-02-27 152726.png

Updating and Querying data from the database and storing it in the <?php echo $row['username'];?>, and the echo username is not filtered, resulting in the execution of XSS statements.

POC

<script>alert(1)</script>

Click this Save button to trigger the cross-site scripting vulnerability.

屏幕截图 2025-02-27 152733.png

Result

屏幕截图 2025-02-27 153100.png

屏幕截图 2025-02-27 152644.png