Institute-of-Current-Students Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Institute-of-Current-Students application, version 1.0. The issue arises in the postquerypublic endpoint, where the email parameter is not properly sanitized before being reflected in the HTML response. This vulnerability allows unauthenticated attackers to inject and execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, or other client-side attacks.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, which could be used for session hijacking, credential theft, or other client-side attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the /postquerypublic endpoint with a crafted email parameter that includes JavaScript payloads. The injected script will be executed in the context of the user's browser.

Remediation

Users are advised to sanitize all user inputs before reflecting them in the HTML response. Implementing server-side input validation and setting strong Content Security Policy headers can also help mitigate this vulnerability.