Sourcecodester Student Grades Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting (XSS) vulnerability has been identified in Sourcecodester Student Grades Management System version 1.0. The issue resides in the 'Add New Subject' feature, specifically within the 'Description' field of 'classroom.php'. This vulnerability allows an authenticated user to inject malicious scripts that are subsequently executed in the context of the user’s session.

Impact

Exploitation of this vulnerability allows for session hijacking, credential theft, data exposure, and unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, log in as an authenticated admin. Navigate to 'Admin', then 'Manage Subjects', and select 'Add New Subject'. In the 'Description' field, enter a payload such as an image tag with an 'onerror' attribute, or a SVG tag with an 'onload' attribute. After submitting the form, the injected payload will be executed, demonstrating the XSS vulnerability.

Remediation

It is recommended to implement contextual encoding, validate and sanitize user inputs, and use secure cookies to mitigate this vulnerability.