CloudClassroom PHP Project Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in CloudClassroom-PHP-Project version 1.0. The issue resides in the email parameter of the postquerypublic endpoint, where improper input sanitization allows attackers to inject arbitrary JavaScript. This injected script executes in the context of the user's browser, potentially leading to session hijacking or phishing attacks.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, deploy the affected PHP application locally. Once the application is running, send a POST request to the postquerypublic endpoint, including a crafted email parameter that contains the injected JavaScript, such as a script tag with an alert function. The application will reflect the injected script without proper sanitization, executing it in the user's browser.