Code-Projects Online Exam Mastering System Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Code-Projects Online Exam Mastering System version 1.0. The issue resides in the feedback.php file, where the 'q' parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary JavaScript. This exploitation could lead to session cookie theft, account takeover, or other client-side attacks.

Impact

Successful exploitation allows for session cookie theft, leading to account takeover. If an admin user is targeted, it could result in privilege escalation.

Reproduction

To reproduce this vulnerability, send a request to the feedback.php file with a crafted 'q' parameter that includes a script tag. The injected script will be executed in the context of the user's browser, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, sanitize and encode user input before rendering it. Utilize security libraries like OWASP's ESAPI or PHP's built-in functions such as htmlspecialchars(). Implement a Content Security Policy (CSP) to mitigate the impact of injected scripts.