code-projects Online Exam Mastering System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in code-projects Online Exam Mastering System version 1.0. The issue arises in the feedback form's name field, where user input is not properly sanitized. This lack of sanitization allows for the injection of arbitrary JavaScript. When an administrator later views this feedback in the admin dashboard, the injected script executes in the admin's browser. This exploitation can lead to session hijacking and potential privilege escalation.

Impact

Exploitation of this vulnerability allows for session hijacking of admin users, impersonation of the admin, and unauthorized administrative access, including the ability to modify or delete test data. Additionally, it could facilitate further privilege escalation.

Reproduction

To reproduce this vulnerability, submit a script payload into the name field of the feedback form. After submitting, log in as an admin and view the feedback in the admin dashboard. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, sanitize user input by escaping HTML special characters. Utilize a robust sanitization library, such as PHP's htmlspecialchars(), and consider implementing a Content Security Policy. Additionally, encoding data before rendering it in the DOM can help mitigate the risk.