Code-Projects Student Information System Cross-Site Scripting Vulnerability in Profile Editing Feature

A cross-site scripting (XSS) vulnerability has been identified in Code-Projects Student Information System version 2.0. The issue resides in the 'editprofile.php' file, specifically within an unknown function that handles profile updates. This vulnerability allows remote attackers to inject malicious scripts, which could be executed in the context of the user's browser. The flaw arises from improper sanitization of user input, particularly the 'firstname' parameter, before it is stored and later displayed. Exploitation of this vulnerability could lead to a stored XSS attack, where the injected script is executed each time the affected profile is viewed.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser, potentially leading to the theft of cookies or other sensitive information.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the profile editing page. Once there, enter a script payload, such as a JavaScript alert tag, into the 'firstname' field. After submitting the form, the injected script will be executed when the profile is viewed, demonstrating the cross-site scripting vulnerability.